feat: revoke refresh token on logout (#3716)

ImmutableJeffrey · ImmutableJeffrey · commit 089d89ec083a · 2025-06-05T15:26:08.000+10:00
diff --git a/packages/passport/sdk/src/authManager.ts b/packages/passport/sdk/src/authManager.ts
@@ -71,11 +71,13 @@ const getAuthConfiguration = (config: PassportConfiguration): UserManagerSetting
       token_endpoint: `${authenticationDomain}/oauth/token`,
       userinfo_endpoint: `${authenticationDomain}/userinfo`,
       end_session_endpoint: endSessionEndpoint.toString(),
+      revocation_endpoint: `${authenticationDomain}/oauth/revoke`,
     },
     mergeClaims: true,
     automaticSilentRenew: false, // Disabled until https://github.com/authts/oidc-client-ts/issues/430 has been resolved
     scope: oidcConfiguration.scope,
     userStore,
+    revokeTokenTypes: ['refresh_token'],
     extraQueryParams: {
       ...config.extraQueryParams,
       ...(oidcConfiguration.audience ? { audience: oidcConfiguration.audience } : {}),
@@ -436,15 +438,22 @@ export default class AuthManager {
   }
 
   public async logout(): Promise<void> {
-    return withPassportError<void>(
-      async () => {
-        if (this.logoutMode === 'silent') {
-          return this.userManager.signoutSilent();
-        }
-        return this.userManager.signoutRedirect();
-      },
-      PassportErrorType.LOGOUT_ERROR,
-    );
+    return withPassportError<void>(async () => {
+      const user = await this.userManager.getUser();
+      if (!user) {
+        return;
+      }
+
+      if (user.refresh_token) {
+        await this.userManager.revokeTokens(['refresh_token']);
+      }
+
+      if (this.logoutMode === 'silent') {
+        await this.userManager.signoutSilent();
+      } else {
+        await this.userManager.signoutRedirect();
+      }
+    }, PassportErrorType.LOGOUT_ERROR);
   }
 
   public async logoutSilentCallback(url: string): Promise<void> {
diff --git a/packages/passport/sdk/src/types.ts b/packages/passport/sdk/src/types.ts
@@ -56,6 +56,7 @@ export type PassportMetadata = {
 
 export interface OidcConfiguration {
   clientId: string;
+  clientSecret?: string;
   logoutRedirectUri?: string;
   logoutMode?: 'redirect' | 'silent';
   redirectUri: string;
