🚪 fix: Complete OIDC RP-Initiated Logout With id_token_hint and Redirect Race Fix (#12024)

* fix: complete OIDC logout implementation

The OIDC logout feature added in #5626 was incomplete:

1. Backend: Missing id_token_hint/client_id parameters required by the
   RP-Initiated Logout spec. Keycloak 18+ rejects logout without these.

2. Frontend: The logout redirect URL was passed through isSafeRedirect()
   which rejects all absolute URLs. The redirect was silently dropped.

Backend: Add id_token_hint (preferred) or client_id (fallback) to the
logout URL for OIDC spec compliance.

Frontend: Use window.location.replace() for logout redirects from the
backend, bypassing isSafeRedirect() which was designed for user-input
validation.

Fixes #5506

* fix: accept undefined in setTokenHeader to properly clear Authorization header

When token is undefined, delete the Authorization header instead of
setting it to "Bearer undefined". Removes the @ts-ignore workaround
in AuthContext.

* fix: skip axios 401 refresh when Authorization header is cleared

When the Authorization header has been removed (e.g. during logout),
the response interceptor now skips the token refresh flow. This
prevents a successful refresh from canceling an in-progress OIDC
external redirect via window.location.replace().

* fix: guard against undefined OPENID_CLIENT_ID in logout URL

Prevent literal "client_id=undefined" in the OIDC end-session URL
when OPENID_CLIENT_ID is not set. Log a warning when neither
id_token_hint nor client_id is available.

* fix: prevent race condition canceling OIDC logout redirect

The logout mutation wrapper's cleanup (clearStates, removeQueries)
triggers re-renders and 401s on in-flight requests. The axios
interceptor would refresh the token successfully, firing
dispatchTokenUpdatedEvent which cancels the window.location.replace()
navigation to the IdP's end_session_endpoint.

Fix:
- Clear Authorization header synchronously before redirect so the
  axios interceptor skips refresh for post-logout 401s
- Add isExternalRedirectRef to suppress silentRefresh and useEffect
  side effects during the redirect
- Add JSDoc explaining why isSafeRedirect is bypassed

* test: add LogoutController and AuthContext logout test coverage

LogoutController.spec.js (13 tests):
- id_token_hint from session and cookie fallback
- client_id fallback, including undefined OPENID_CLIENT_ID guard
- Disabled endpoint, missing issuer, non-OpenID user
- post_logout_redirect_uri (custom and default)
- Missing OpenID config and end_session_endpoint
- Error handling and cookie clearing

AuthContext.spec.tsx (3 tests):
- OIDC redirect calls window.location.replace + setTokenHeader
- Non-redirect logout path
- Logout error handling

* test: add coverage for setTokenHeader, axios interceptor guard, and silentRefresh suppression

headers-helpers.spec.ts (3 tests):
- Sets Authorization header with Bearer token
- Deletes Authorization header when called with undefined
- No-op when clearing an already absent header

request-interceptor.spec.ts (2 tests):
- Skips refresh when Authorization header is cleared (the race fix)
- Attempts refresh when Authorization header is present

AuthContext.spec.tsx (1 new test):
- Verifies silentRefresh is not triggered after OIDC redirect

* test: enhance request-interceptor tests with adapter restoration and refresh verification

- Store the original axios adapter before tests and restore it after all tests to prevent side effects.
- Add verification for the refresh endpoint call in the interceptor tests to ensure correct behavior during token refresh attempts.

* test: enhance AuthContext tests with live rendering and improved logout error handling

- Introduced a new `renderProviderLive` function to facilitate testing with silentRefresh.
- Updated tests to use the live rendering function, ensuring accurate simulation of authentication behavior.
- Enhanced logout error handling test to verify that auth state is cleared without external redirects.

* test: update LogoutController tests for OpenID config error handling

- Renamed test suite to clarify that it handles cases when OpenID config is not available.
- Modified test to check for error thrown by getOpenIdConfig instead of returning null, ensuring proper logging of the error message.

* refactor: improve OpenID config error handling in LogoutController

- Simplified error handling for OpenID configuration retrieval by using a try-catch block.
- Updated logging to provide clearer messages when the OpenID config is unavailable.
- Ensured that the end session endpoint is only accessed if the OpenID config is successfully retrieved.

---------

Co-authored-by: cloudspinner <stijn.tastenhoye@gmail.com>

client/src/hooks/AuthContext.tsx

@@ -34,11 +34,12 @@ const AuthContextProvider = ({
   authConfig?: TAuthConfig;
   children: ReactNode;
 }) => {
+  const isExternalRedirectRef = useRef(false);
   const [user, setUser] = useRecoilState(store.user);
+  const logoutRedirectRef = useRef<string | undefined>(undefined);
   const [token, setToken] = useState<string | undefined>(undefined);
   const [error, setError] = useState<string | undefined>(undefined);
   const [isAuthenticated, setIsAuthenticated] = useState<boolean>(false);
-  const logoutRedirectRef = useRef<string | undefined>(undefined);
 
   const { data: userRole = null } = useGetRole(SystemRoles.USER, {
     enabled: !!(isAuthenticated && (user?.role ?? '')),
@@ -55,7 +56,6 @@ const AuthContextProvider = ({
         const { token, isAuthenticated, user, redirect } = userContext;
         setUser(user);
         setToken(token);
-        //@ts-ignore - ok for token to be undefined initially
         setTokenHeader(token);
         setIsAuthenticated(isAuthenticated);
 
@@ -106,11 +106,21 @@ const AuthContextProvider = ({
   });
   const logoutUser = useLogoutUserMutation({
     onSuccess: (data) => {
+      if (data.redirect) {
+        /** data.redirect is the IdP's end_session_endpoint URL — an absolute URL generated
+         * server-side from trusted IdP metadata (not user input), so isSafeRedirect is bypassed.
+         * setUserContext is debounced (50ms) and won't fire before page unload, so clear the
+         * axios Authorization header synchronously to prevent in-flight requests. */
+        isExternalRedirectRef.current = true;
+        setTokenHeader(undefined);
+        window.location.replace(data.redirect);
+        return;
+      }
       setUserContext({
         token: undefined,
         isAuthenticated: false,
         user: undefined,
-        redirect: data.redirect ?? '/login',
+        redirect: '/login',
       });
     },
     onError: (error) => {
@@ -146,8 +156,14 @@ const AuthContextProvider = ({
       console.log('Test mode. Skipping silent refresh.');
       return;
     }
+    if (isExternalRedirectRef.current) {
+      return;
+    }
     refreshToken.mutate(undefined, {
       onSuccess: (data: t.TRefreshTokenResponse | undefined) => {
+        if (isExternalRedirectRef.current) {
+          return;
+        }
         const { user, token = '' } = data ?? {};
         if (token) {
           setUserContext({ token, isAuthenticated: true, user });
@@ -160,6 +176,9 @@ const AuthContextProvider = ({
         navigate(buildLoginRedirectUrl());
       },
       onError: (error) => {
+        if (isExternalRedirectRef.current) {
+          return;
+        }
         console.log('refreshToken mutation error:', error);
         if (authConfig?.test === true) {
           return;
@@ -171,6 +190,9 @@ const AuthContextProvider = ({
   }, []);
 
   useEffect(() => {
+    if (isExternalRedirectRef.current) {
+      return;
+    }
     if (userQuery.data) {
       setUser(userQuery.data);
     } else if (userQuery.isError) {

client/src/hooks/__tests__/AuthContext.spec.tsx

@@ -24,6 +24,13 @@ let mockCapturedLoginOptions: {
   onError: (...args: unknown[]) => void;
 };
 
+let mockCapturedLogoutOptions: {
+  onSuccess: (...args: unknown[]) => void;
+  onError: (...args: unknown[]) => void;
+};
+
+const mockRefreshMutate = jest.fn();
+
 jest.mock('~/data-provider', () => ({
   useLoginUserMutation: jest.fn(
     (options: {
@@ -34,8 +41,16 @@ jest.mock('~/data-provider', () => ({
       return { mutate: jest.fn() };
     },
   ),
-  useLogoutUserMutation: jest.fn(() => ({ mutate: jest.fn() })),
-  useRefreshTokenMutation: jest.fn(() => ({ mutate: jest.fn() })),
+  useLogoutUserMutation: jest.fn(
+    (options: {
+      onSuccess: (...args: unknown[]) => void;
+      onError: (...args: unknown[]) => void;
+    }) => {
+      mockCapturedLogoutOptions = options;
+      return { mutate: jest.fn() };
+    },
+  ),
+  useRefreshTokenMutation: jest.fn(() => ({ mutate: mockRefreshMutate })),
   useGetUserQuery: jest.fn(() => ({
     data: undefined,
     isError: false,
@@ -69,6 +84,25 @@ function renderProvider() {
   );
 }
 
+/** Renders without test:true so silentRefresh actually runs */
+function renderProviderLive() {
+  const queryClient = new QueryClient({
+    defaultOptions: { queries: { retry: false }, mutations: { retry: false } },
+  });
+
+  return render(
+    <QueryClientProvider client={queryClient}>
+      <RecoilRoot>
+        <MemoryRouter>
+          <AuthContextProvider authConfig={{ loginRedirect: '/login' }}>
+            <TestConsumer />
+          </AuthContextProvider>
+        </MemoryRouter>
+      </RecoilRoot>
+    </QueryClientProvider>,
+  );
+}
+
 describe('AuthContextProvider — login onError redirect handling', () => {
   const originalLocation = window.location;
 
@@ -172,3 +206,88 @@ describe('AuthContextProvider — login onError redirect handling', () => {
     expect(decodeURIComponent(params.get('redirect_to')!)).toBe(target);
   });
 });
+
+describe('AuthContextProvider — logout onSuccess/onError handling', () => {
+  const originalLocation = window.location;
+  const mockSetTokenHeader = jest.requireMock('librechat-data-provider').setTokenHeader;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    Object.defineProperty(window, 'location', {
+      value: {
+        ...originalLocation,
+        pathname: '/c/some-chat',
+        search: '',
+        hash: '',
+        replace: jest.fn(),
+      },
+      writable: true,
+      configurable: true,
+    });
+  });
+
+  afterEach(() => {
+    Object.defineProperty(window, 'location', {
+      value: originalLocation,
+      writable: true,
+      configurable: true,
+    });
+  });
+
+  it('calls window.location.replace and setTokenHeader(undefined) when redirect is present', () => {
+    renderProvider();
+
+    act(() => {
+      mockCapturedLogoutOptions.onSuccess({
+        message: 'Logout successful',
+        redirect: 'https://idp.example.com/logout?id_token_hint=abc',
+      });
+    });
+
+    expect(window.location.replace).toHaveBeenCalledWith(
+      'https://idp.example.com/logout?id_token_hint=abc',
+    );
+    expect(mockSetTokenHeader).toHaveBeenCalledWith(undefined);
+  });
+
+  it('does not call window.location.replace when redirect is absent', async () => {
+    renderProvider();
+
+    act(() => {
+      mockCapturedLogoutOptions.onSuccess({ message: 'Logout successful' });
+    });
+
+    expect(window.location.replace).not.toHaveBeenCalled();
+  });
+
+  it('does not trigger silentRefresh after OIDC redirect', () => {
+    renderProviderLive();
+    mockRefreshMutate.mockClear();
+
+    act(() => {
+      mockCapturedLogoutOptions.onSuccess({
+        message: 'Logout successful',
+        redirect: 'https://idp.example.com/logout?id_token_hint=abc',
+      });
+    });
+
+    expect(window.location.replace).toHaveBeenCalled();
+    expect(mockRefreshMutate).not.toHaveBeenCalled();
+  });
+
+  it('clears auth state on logout error without external redirect', () => {
+    jest.useFakeTimers();
+    const { getByTestId } = renderProvider();
+
+    act(() => {
+      mockCapturedLogoutOptions.onError(new Error('Logout failed'));
+    });
+    act(() => {
+      jest.advanceTimersByTime(100);
+    });
+
+    expect(window.location.replace).not.toHaveBeenCalled();
+    expect(getByTestId('consumer').getAttribute('data-authenticated')).toBe('false');
+    jest.useRealTimers();
+  });
+});