store: round-trip IDToken on sessions for RP-initiated logout

2026-05-05 13:14:27 +01:00
parent 70aa22e87e
commit 14be63510c
2 changed files with 41 additions and 6 deletions
@@ -43,3 +43,34 @@ func TestDeleteSessionsByUserID(t *testing.T) {
 		t.Error("hash1 should be gone")
 	}
 }
+
+func TestSessionRoundTripsIDToken(t *testing.T) {
+	t.Parallel()
+	s := openTestStore(t)
+	ctx := context.Background()
+	now := time.Now().UTC()
+
+	uid := "u-oidc"
+	if err := s.CreateUser(ctx, User{
+		ID: uid, Username: "ouser", PasswordHash: "",
+		Role: RoleOperator, CreatedAt: now,
+		AuthSource: "oidc",
+	}); err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+
+	if err := s.CreateSession(ctx, Session{
+		ID: "h1", UserID: uid, CreatedAt: now,
+		ExpiresAt: now.Add(time.Hour),
+		IDToken:   "eyJ.fake.jwt",
+	}, "h1"); err != nil {
+		t.Fatalf("create session: %v", err)
+	}
+	got, err := s.LookupSession(ctx, "h1")
+	if err != nil {
+		t.Fatalf("lookup: %v", err)
+	}
+	if got.IDToken != "eyJ.fake.jwt" {
+		t.Errorf("id_token round trip: got %q", got.IDToken)
+	}
+}