From 17860edd60185ae71c2cde0cd7590e76a8fa16e4 Mon Sep 17 00:00:00 2001
From: jhmullen <jimmy.mullen@gmail.com>
Date: Wed, 5 Oct 2022 12:13:16 -0400
Subject: [PATCH] adds openid logout to canon-core

---
 packages/core/README.md        | 4 ++++
 packages/core/src/auth/auth.js | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/packages/core/README.md b/packages/core/README.md
index 777622d53..f570c6f10 100644
--- a/packages/core/README.md
+++ b/packages/core/README.md
@@ -766,6 +766,10 @@ export CANON_OPENID_ID="###############"
 export CANON_OPENID_SECRET="##############################"
 export CANON_OPENID_ROLES="profile,email"
 ```
+3. (Optional) To fully log out of OpenId on Canon Logout, set this variable:
+```sh
+export CANON_OPENID_LOGOUT="https://login.microsoftonline.com/###/oauth2/v2.0/logout"
+```
 
 ---
 
diff --git a/packages/core/src/auth/auth.js b/packages/core/src/auth/auth.js
index f43f7b7cc..86f551c64 100644
--- a/packages/core/src/auth/auth.js
+++ b/packages/core/src/auth/auth.js
@@ -51,8 +51,12 @@ module.exports = function (app) {
 
   app.get("/auth/logout", (req, res) => {
     req.logout();
-    //TBD: Force logout for openID? I don't think so. https://github.com/passport/todos-express-auth0/blob/main/routes/auth.js#L43-L50
-    return res.redirect("/");
+    if (req.query.openid === "true" && process.env.CANON_OPENID_LOGOUT) {
+      res.redirect(process.env.CANON_OPENID_LOGOUT)
+    }
+    else {
+      return res.redirect("/");
+    }
   });
 
   app.get("/auth/users", isRole(2), (req, res) => {