From f8fc7961b2bcea0931f8981a0356c8c4380d7619 Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Mon, 6 Jul 2020 10:35:30 +0200
Subject: [PATCH] fix: terminate session possible wihtout id_token_hint

---
 pkg/op/session.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/op/session.go b/pkg/op/session.go
index 96ec1bf..c274bf0 100644
--- a/pkg/op/session.go
+++ b/pkg/op/session.go
@@ -27,7 +27,11 @@ func EndSession(w http.ResponseWriter, r *http.Request, ender SessionEnder) {
 		RequestError(w, r, err)
 		return
 	}
-	err = ender.Storage().TerminateSession(r.Context(), session.UserID, session.Client.GetID())
+	var clientID string
+	if session.Client != nil {
+		clientID = session.Client.GetID()
+	}
+	err = ender.Storage().TerminateSession(r.Context(), session.UserID, clientID)
 	if err != nil {
 		RequestError(w, r, ErrServerError("error terminating session"))
 		return
@@ -50,6 +54,9 @@ func ParseEndSessionRequest(r *http.Request, decoder *schema.Decoder) (*oidc.End
 
 func ValidateEndSessionRequest(ctx context.Context, req *oidc.EndSessionRequest, ender SessionEnder) (*EndSessionRequest, error) {
 	session := new(EndSessionRequest)
+	if req.IdTokenHint == "" {
+		return session, nil
+	}
 	claims, err := ender.IDTokenVerifier().Verify(ctx, "", req.IdTokenHint)
 	if err != nil {
 		return nil, ErrInvalidRequest("id_token_hint invalid")