fix: clear backchannel logout tokens (#649)

kushalshit27 · web-flow · commit 930b6cff2da7 · 2025-05-06T14:10:02.000+05:30
diff --git a/lib/hooks/backchannelLogout/onLogIn.js b/lib/hooks/backchannelLogout/onLogIn.js
@@ -1,13 +1,21 @@
 const { promisify } = require('util');
 const { get: getClient } = require('../../client');
 
-// Remove any Back-Channel Logout tokens for this `sub`
+// Remove any Back-Channel Logout tokens for this `sub` and `sid`
 module.exports = async (req, config) => {
   const {
     issuer: { issuer },
   } = await getClient(config);
   const { session, backchannelLogout } = config;
   const store = (backchannelLogout && backchannelLogout.store) || session.store;
   const destroy = promisify(store.destroy).bind(store);
-  await destroy(`${issuer}|${req.oidc.idTokenClaims.sub}`);
+
+  // Get the sub and sid from the ID token claims
+  const { sub, sid } = req.oidc.idTokenClaims;
+
+  // Remove both sub and sid based entries
+  await Promise.all([
+    destroy(`${issuer}|${sub}`),
+    sid && destroy(`${issuer}|${sid}`),
+  ]);
 };
