@axa-fr/oidc-client 7.27.15 → 7.27.17

package/src/logout.spec.ts

@@ -2,8 +2,9 @@
 
 import { describe, expect, it, vi } from 'vitest';
 
+import { eventNames } from './events';
 import { ILOidcLocation } from './location';
-import { logoutAsync } from './logout';
+import { clearSessionAsync, logoutAsync } from './logout';
 
 describe('Logout test suite', () => {
   const expectedFinalUrl =
@@ -138,4 +139,210 @@ describe('Logout test suite', () => {
       expect(finalUrl).toBe(expectedFinalUrl);
     },
   );
+
+  it('navigates to end_session_endpoint before clearing the local session (issue #1677)', async () => {
+    // This is the regression test for the race described in issue #1677.
+    // `OidcProvider`/`OidcSecure` watches `oidc.tokens`; if `destroyAsync`
+    // runs before `oicLocation.open`, the React tree can briefly observe a
+    // null token state and kick off a new auth flow before the navigation
+    // to the IdP's end-session endpoint commits.
+    const configuration = {
+      client_id: 'interactive.public.short',
+      authority: 'http://api',
+      logout_tokens_to_invalidate: ['access_token', 'refresh_token'],
+    };
+
+    const callOrder: string[] = [];
+
+    const mockFetchFn = vi.fn().mockImplementation(() => {
+      callOrder.push('revoke');
+      return Promise.resolve({ status: 200 });
+    });
+
+    const oidc: any = {
+      configuration,
+      tokens: {
+        idToken: 'abcd',
+        accessToken: 'abcd',
+        refreshToken: 'abdc',
+        idTokenPayload: { sub: 'sub-123' },
+      },
+      isLoggingOut: false,
+      initAsync: () =>
+        Promise.resolve({
+          revocationEndpoint: 'http://api/connect/revocation',
+          endSessionEndpoint: 'http://api/connect/endsession',
+        }),
+      destroyAsync: vi.fn().mockImplementation(() => {
+        callOrder.push('destroyAsync');
+        oidc.tokens = null;
+        return Promise.resolve();
+      }),
+      logoutSameTabAsync: () => Promise.resolve(),
+      publishEvent: (name: string) => callOrder.push(`publishEvent:${name}`),
+    };
+
+    const oidcDatabase = { default: oidc };
+
+    let navigatedUrl = '';
+    class OidcLocationMock implements ILOidcLocation {
+      open(url: string): void {
+        callOrder.push('open');
+        navigatedUrl = url;
+      }
+      getCurrentHref() {
+        return '';
+      }
+      getPath() {
+        return '';
+      }
+      reload() {
+        callOrder.push('reload');
+      }
+      getOrigin() {
+        return 'http://localhost:4200';
+      }
+    }
+
+    await logoutAsync(
+      oidc,
+      oidcDatabase,
+      mockFetchFn,
+      console,
+      new OidcLocationMock(),
+    )('/logged_out', null);
+
+    // Revocation comes first (so tokens are still valid when revoked),
+    // navigation comes second (page starts unloading), and only then we
+    // clear local state and broadcast `logout_from_same_tab`.
+    expect(callOrder[0]).toBe('revoke');
+    expect(callOrder[1]).toBe('revoke');
+    expect(callOrder[2]).toBe('open');
+    expect(callOrder.indexOf('destroyAsync')).toBeGreaterThan(callOrder.indexOf('open'));
+    expect(callOrder.indexOf(`publishEvent:${eventNames.logout_from_same_tab}`)).toBeGreaterThan(
+      callOrder.indexOf('open'),
+    );
+
+    // The id_token_hint must still be present on the navigation URL, even
+    // though local tokens have been cleared by `destroyAsync` afterwards.
+    expect(navigatedUrl).toContain('id_token_hint=abcd');
+    expect(navigatedUrl).toContain(
+      'post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Flogged_out',
+    );
+
+    // The flag stays set after the call returns: the page is expected to be
+    // unloading and any UI re-render that briefly observes `tokens === null`
+    // should skip starting a new login flow.
+    expect(oidc.isLoggingOut).toBe(true);
+  });
+
+  it('resets isLoggingOut and does not navigate when no_reload is requested', async () => {
+    const configuration = {
+      client_id: 'interactive.public.short',
+      authority: 'http://api',
+      logout_tokens_to_invalidate: [],
+    };
+
+    const events: string[] = [];
+    let navigated = false;
+    const oidc: any = {
+      configuration,
+      tokens: {
+        idToken: 'abcd',
+        accessToken: 'abcd',
+        refreshToken: 'abdc',
+        idTokenPayload: { sub: 'sub-123' },
+      },
+      isLoggingOut: false,
+      initAsync: () =>
+        Promise.resolve({
+          revocationEndpoint: 'http://api/connect/revocation',
+          endSessionEndpoint: 'http://api/connect/endsession',
+        }),
+      destroyAsync: () => Promise.resolve(),
+      logoutSameTabAsync: () => Promise.resolve(),
+      publishEvent: (name: string) => events.push(name),
+    };
+    const oidcDatabase = { default: oidc };
+
+    class OidcLocationMock implements ILOidcLocation {
+      open() {
+        navigated = true;
+      }
+      getCurrentHref() {
+        return '';
+      }
+      getPath() {
+        return '';
+      }
+      reload() {
+        navigated = true;
+      }
+      getOrigin() {
+        return 'http://localhost:4200';
+      }
+    }
+
+    await logoutAsync(
+      oidc,
+      oidcDatabase,
+      vi.fn(),
+      console,
+      new OidcLocationMock(),
+    )('/logged_out', { 'no_reload:oidc': 'true' });
+
+    expect(navigated).toBe(false);
+    expect(events).toContain(eventNames.logout_from_same_tab);
+    expect(oidc.isLoggingOut).toBe(false);
+  });
+
+  describe('clearSessionAsync', () => {
+    it('clears the local session and emits logout_from_same_tab without contacting the IdP', async () => {
+      const events: { name: string; data: unknown }[] = [];
+      const oidc: any = {
+        configuration: { client_id: 'interactive.public.short' },
+        tokens: {
+          idToken: 'abcd',
+          accessToken: 'abcd',
+          refreshToken: 'abdc',
+          idTokenPayload: { sub: 'sub-123' },
+        },
+        destroyAsync: vi.fn().mockImplementation(status => {
+          oidc.tokens = null;
+          events.push({ name: 'destroyAsync', data: status });
+          return Promise.resolve();
+        }),
+        logoutSameTabAsync: vi.fn().mockResolvedValue(undefined),
+        publishEvent: (name: string, data: unknown) => events.push({ name, data }),
+      };
+      const oidcDatabase = { default: oidc };
+
+      await clearSessionAsync(oidc, oidcDatabase)();
+
+      expect(oidc.destroyAsync).toHaveBeenCalledWith('LOGGED_OUT');
+      expect(oidc.tokens).toBeNull();
+      expect(events.some(e => e.name === eventNames.logout_from_same_tab)).toBe(true);
+    });
+
+    it('calls logoutSameTabAsync for sibling OIDC clients registered in the same tab', async () => {
+      const oidc: any = {
+        configuration: { client_id: 'interactive.public.short' },
+        tokens: {
+          idToken: 'abcd',
+          accessToken: 'abcd',
+          refreshToken: 'abdc',
+          idTokenPayload: { sub: 'sub-123' },
+        },
+        destroyAsync: () => Promise.resolve(),
+        logoutSameTabAsync: vi.fn().mockResolvedValue(undefined),
+        publishEvent: () => undefined,
+      };
+      const sibling: any = { configuration: { client_id: 'other' } };
+      const oidcDatabase = { default: oidc, other: sibling };
+
+      await clearSessionAsync(oidc, oidcDatabase)();
+
+      expect(oidc.logoutSameTabAsync).toHaveBeenCalledWith('interactive.public.short', 'sub-123');
+    });
+  });
 });

package/src/logout.ts

@@ -59,6 +59,58 @@ export const destroyAsync = oidc => async status => {
   oidc.userInfo = null;
 };
 
+/**
+ * Clears the local OIDC session (tokens, user info, service-worker storage)
+ * and broadcasts `logout_from_same_tab` to any other OIDC clients registered
+ * in the same tab.
+ *
+ * It is intentionally decoupled from `logoutAsync`: callers that want to drop
+ * the local session without contacting the identity provider — for example a
+ * service-worker-only flow, a SPA-only logout, or an error-recovery path —
+ * can use this helper directly. `logoutAsync` itself calls it as the very
+ * last step, after the browser navigation to `end_session_endpoint` has been
+ * scheduled, so that the React tree never observes a transient "no tokens"
+ * state before the page is unloaded.
+ */
+export const clearSessionAsync = (oidc, oidcDatabase) => async () => {
+  const sub = oidc.tokens?.idTokenPayload?.sub ?? null;
+  await oidc.destroyAsync('LOGGED_OUT');
+  for (const [, itemOidc] of Object.entries(oidcDatabase)) {
+    if (itemOidc !== oidc) {
+      // @ts-ignore
+      await oidc.logoutSameTabAsync(oidc.configuration.client_id, sub);
+    } else {
+      oidc.publishEvent(eventNames.logout_from_same_tab, {});
+    }
+  }
+};
+
+const buildEndSessionUrl = (
+  endSessionEndpoint: string,
+  endPointExtras: StringMap,
+  idToken: string,
+  postLogoutRedirectUri: string | null,
+): string => {
+  if (!('id_token_hint' in endPointExtras)) {
+    endPointExtras['id_token_hint'] = idToken;
+  }
+  if (!('post_logout_redirect_uri' in endPointExtras) && postLogoutRedirectUri !== null) {
+    endPointExtras['post_logout_redirect_uri'] = postLogoutRedirectUri;
+  }
+  let queryString = '';
+  for (const [key, value] of Object.entries(endPointExtras)) {
+    if (value !== null && value !== undefined) {
+      if (queryString === '') {
+        queryString += '?';
+      } else {
+        queryString += '&';
+      }
+      queryString += `${key}=${encodeURIComponent(value)}`;
+    }
+  }
+  return `${endSessionEndpoint}${queryString}`;
+};
+
 export const logoutAsync =
   (oidc, oidcDatabase, fetch, console, oicLocation: ILOidcLocation) =>
   async (callbackPathOrUrl: string | null | undefined = undefined, extras: StringMap = null) => {
@@ -79,94 +131,111 @@ export const logoutAsync =
     if (callbackPathOrUrl) {
       isUri = callbackPathOrUrl.includes('https://') || callbackPathOrUrl.includes('http://');
     }
-    const url = isUri ? callbackPathOrUrl : oicLocation.getOrigin() + path;
+    const postLogoutRedirectUri =
+      callbackPathOrUrl === null
+        ? null
+        : isUri
+          ? callbackPathOrUrl
+          : oicLocation.getOrigin() + path;
+    // Capture identifiers from the live session *before* any clear happens, so the
+    // values stay valid no matter when we drop local state.
     // @ts-ignore
     const idToken = oidc.tokens ? oidc.tokens.idToken : '';
+
+    // Mark the instance as "logout in progress" so consumers (OidcSecure, route
+    // guards, silent renew, 401 retry interceptors, …) can back off from
+    // triggering a new auth flow during the window between us clearing the
+    // local session and the browser actually navigating away.
+    oidc.isLoggingOut = true;
+
     try {
-      const revocationEndpoint = oidcServerConfiguration.revocationEndpoint;
-      if (revocationEndpoint) {
-        const promises = [];
-        const accessToken = oidc.tokens ? oidc.tokens.accessToken : null;
-        if (
-          accessToken &&
-          configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.access_token)
-        ) {
-          const revokeAccessTokenExtras = extractExtras(extras, ':revoke_access_token');
-          const revokeAccessTokenPromise = performRevocationRequestAsync(fetch)(
-            revocationEndpoint,
-            accessToken,
-            TOKEN_TYPE.access_token,
-            configuration.client_id,
-            revokeAccessTokenExtras,
-          );
-          promises.push(revokeAccessTokenPromise);
-        }
-        const refreshToken = oidc.tokens ? oidc.tokens.refreshToken : null;
-        if (
-          refreshToken &&
-          configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.refresh_token)
-        ) {
-          const revokeAccessTokenExtras = extractExtras(extras, ':revoke_refresh_token');
-          const revokeRefreshTokenPromise = performRevocationRequestAsync(fetch)(
-            revocationEndpoint,
-            refreshToken,
-            TOKEN_TYPE.refresh_token,
-            configuration.client_id,
-            revokeAccessTokenExtras,
-          );
-          promises.push(revokeRefreshTokenPromise);
-        }
-        if (promises.length > 0) {
-          await Promise.all(promises);
+      try {
+        const revocationEndpoint = oidcServerConfiguration.revocationEndpoint;
+        if (revocationEndpoint) {
+          const promises = [];
+          const accessToken = oidc.tokens ? oidc.tokens.accessToken : null;
+          if (
+            accessToken &&
+            configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.access_token)
+          ) {
+            const revokeAccessTokenExtras = extractExtras(extras, ':revoke_access_token');
+            const revokeAccessTokenPromise = performRevocationRequestAsync(fetch)(
+              revocationEndpoint,
+              accessToken,
+              TOKEN_TYPE.access_token,
+              configuration.client_id,
+              revokeAccessTokenExtras,
+            );
+            promises.push(revokeAccessTokenPromise);
+          }
+          const refreshToken = oidc.tokens ? oidc.tokens.refreshToken : null;
+          if (
+            refreshToken &&
+            configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.refresh_token)
+          ) {
+            const revokeAccessTokenExtras = extractExtras(extras, ':revoke_refresh_token');
+            const revokeRefreshTokenPromise = performRevocationRequestAsync(fetch)(
+              revocationEndpoint,
+              refreshToken,
+              TOKEN_TYPE.refresh_token,
+              configuration.client_id,
+              revokeAccessTokenExtras,
+            );
+            promises.push(revokeRefreshTokenPromise);
+          }
+          if (promises.length > 0) {
+            // Revocation must be awaited *before* navigation, so a cancelled
+            // navigation can never leave valid tokens behind both in storage
+            // and on the authorization server.
+            await Promise.all(promises);
+          }
         }
+      } catch (exception) {
+        console.warn(
+          'logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error',
+        );
+        console.warn(exception);
       }
-    } catch (exception) {
-      console.warn(
-        'logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error',
-      );
-      console.warn(exception);
-    }
-    const sub = oidc.tokens?.idTokenPayload?.sub ?? null;
-
-    await oidc.destroyAsync('LOGGED_OUT');
-    for (const [, itemOidc] of Object.entries(oidcDatabase)) {
-      if (itemOidc !== oidc) {
-        // @ts-ignore
-        await oidc.logoutSameTabAsync(oidc.configuration.client_id, sub);
-      } else {
-        oidc.publishEvent(eventNames.logout_from_same_tab, {});
-      }
-    }
-
-    const oidcExtras = extractExtras(extras, ':oidc');
-    const noReload = oidcExtras && oidcExtras['no_reload'] === 'true';
-
-    if (noReload) {
-      return;
-    }
 
-    const endPointExtras = keepExtras(extras);
+      const oidcExtras = extractExtras(extras, ':oidc');
+      const noReload = oidcExtras && oidcExtras['no_reload'] === 'true';
 
-    if (oidcServerConfiguration.endSessionEndpoint) {
-      if (!('id_token_hint' in endPointExtras)) {
-        endPointExtras['id_token_hint'] = idToken;
-      }
-      if (!('post_logout_redirect_uri' in endPointExtras) && callbackPathOrUrl !== null) {
-        endPointExtras['post_logout_redirect_uri'] = url;
+      if (noReload) {
+        // No navigation happens here: this branch is essentially a "clear local
+        // session" call dressed as a logout. We can drop state immediately and
+        // reset the flag since the call returns normally to the caller.
+        await clearSessionAsync(oidc, oidcDatabase)();
+        oidc.isLoggingOut = false;
+        return;
       }
-      let queryString = '';
-      for (const [key, value] of Object.entries(endPointExtras)) {
-        if (value !== null && value !== undefined) {
-          if (queryString === '') {
-            queryString += '?';
-          } else {
-            queryString += '&';
-          }
-          queryString += `${key}=${encodeURIComponent(value)}`;
-        }
+
+      // Navigate to the end-session endpoint (or reload) *before* clearing the
+      // local session. This closes the race where `OidcProvider` /
+      // `OidcSecure` / silent-renew timers observe a null `tokens` and kick
+      // off a new auth flow in the window between local clear and navigation.
+      const endPointExtras = keepExtras(extras);
+      if (oidcServerConfiguration.endSessionEndpoint) {
+        const endSessionUrl = buildEndSessionUrl(
+          oidcServerConfiguration.endSessionEndpoint,
+          endPointExtras,
+          idToken,
+          postLogoutRedirectUri,
+        );
+        oicLocation.open(endSessionUrl);
+      } else {
+        oicLocation.reload();
       }
-      oicLocation.open(`${oidcServerConfiguration.endSessionEndpoint}${queryString}`);
-    } else {
-      oicLocation.reload();
+
+      // Now that navigation has been scheduled, drop the local session. By the
+      // time React re-renders against the null tokens the page is already
+      // unloading; if for any reason it is not (e.g. navigation cancelled by a
+      // `beforeunload` handler) the `isLoggingOut` flag stays set so guards
+      // still know not to start a fresh auth flow.
+      await clearSessionAsync(oidc, oidcDatabase)();
+    } catch (exception) {
+      // If anything went wrong, reset the flag so the app is not stuck in a
+      // "logging out forever" state.
+      oidc.isLoggingOut = false;
+      throw exception;
     }
   };

package/src/oidc.ts

@@ -12,7 +12,7 @@ import {
 import { tryKeepSessionAsync } from './keepSession';
 import { ILOidcLocation, OidcLocation } from './location';
 import { defaultLoginAsync, loginCallbackAsync } from './login.js';
-import { destroyAsync, logoutAsync } from './logout.js';
+import { clearSessionAsync, destroyAsync, logoutAsync } from './logout.js';
 import { TokenRenewMode, Tokens } from './parseTokens.js';
 import { autoRenewTokens, renewTokensAndStartTimerAsync } from './renewTokens.js';
 import { fetchFromIssuer } from './requests.js';
@@ -99,6 +99,14 @@ export class Oidc {
   public checkSessionIFrame: CheckSessionIFrame;
   public getFetch: () => Fetch;
   public location: ILOidcLocation;
+  /**
+   * `true` while {@link logoutAsync} is executing or has scheduled a
+   * navigation to the identity provider's end-session endpoint that has not
+   * yet committed. Consumers (UI guards, silent-renew handlers, 401 retry
+   * interceptors, …) should check this flag and skip starting a new auth
+   * flow when it is set, even if `tokens` is null.
+   */
+  public isLoggingOut = false;
   constructor(
     configuration: OidcConfiguration,
     configurationName = 'default',
@@ -183,13 +191,38 @@ export class Oidc {
       return oidcFactory(getFetch, location)(configuration, name);
     };
 
-  static get(name = 'default') {
-    const isInsideBrowser = typeof process === 'undefined';
-    if (!Object.prototype.hasOwnProperty.call(oidcDatabase, name) && isInsideBrowser) {
+  /**
+   * Retrieve an existing OIDC instance previously initialized via
+   * {@link Oidc.getOrCreate}.
+   *
+   * Since issue #1679, this method no longer throws when the requested
+   * configuration has not been initialized; it returns `null` instead.
+   * This makes hooks such as `useOidc`, `useOidcUser` and `useOidcIdToken`
+   * safe to call outside of an `<OidcProvider>` (e.g. in unit tests or
+   * Storybook stories).
+   *
+   * Use {@link Oidc.getOrThrow} to preserve the previous fail-fast
+   * behaviour.
+   */
+  static get(name = 'default'): Oidc | null {
+    if (!Object.prototype.hasOwnProperty.call(oidcDatabase, name)) {
+      return null;
+    }
+    return oidcDatabase[name];
+  }
+
+  /**
+   * Retrieve an existing OIDC instance, throwing an explicit error if it
+   * has not been initialized. This preserves the historical (pre-#1679)
+   * fail-fast behaviour of `Oidc.get`.
+   */
+  static getOrThrow(name = 'default'): Oidc {
+    const oidc = Oidc.get(name);
+    if (!oidc) {
       throw Error(`OIDC library does seem initialized.
 Please checkout that you are using OIDC hook inside a <OidcProvider configurationName="${name}"></OidcProvider> component.`);
     }
-    return oidcDatabase[name];
+    return oidc;
   }
 
   static eventNames = eventNames;
@@ -452,6 +485,27 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
     return await destroyAsync(this)(status);
   }
 
+  /**
+   * Drops the local OIDC session (tokens, user info, service-worker storage)
+   * and broadcasts `logout_from_same_tab`, without contacting the identity
+   * provider's `end_session_endpoint` and without revoking tokens.
+   *
+   * Use this for SPA-only logouts, service-worker-only flows, or
+   * error-recovery paths where a full IdP logout is not needed or not
+   * desirable. For a standard OIDC RP-initiated logout use
+   * {@link logoutAsync} instead.
+   */
+  clearSessionPromise: Promise<void> = null;
+  async clearSessionAsync(): Promise<void> {
+    if (this.clearSessionPromise) {
+      return this.clearSessionPromise;
+    }
+    this.clearSessionPromise = clearSessionAsync(this, oidcDatabase)();
+    return this.clearSessionPromise.finally(() => {
+      this.clearSessionPromise = null;
+    });
+  }
+
   async logoutSameTabAsync(clientId: string, sub: any) {
     // @ts-ignore
     if (

package/src/oidcClient.spec.ts

@@ -0,0 +1,34 @@
+import { describe, expect, it } from 'vitest';
+
+import { Oidc } from './oidc.js';
+import { OidcClient } from './oidcClient.js';
+
+describe('OidcClient.get (issue #1679)', () => {
+  it('returns null when no configuration has been initialized', () => {
+    expect(OidcClient.get('unknown-configuration-1679')).toBeNull();
+  });
+
+  it('does not throw when no configuration has been initialized', () => {
+    expect(() => OidcClient.get('another-unknown-configuration-1679')).not.toThrow();
+  });
+});
+
+describe('OidcClient.getOrThrow (issue #1679)', () => {
+  it('throws an explicit error when configuration has not been initialized', () => {
+    expect(() => OidcClient.getOrThrow('missing-configuration-1679')).toThrow(
+      /OIDC library does seem initialized/,
+    );
+  });
+});
+
+describe('Oidc.get (issue #1679)', () => {
+  it('returns null when no configuration has been initialized', () => {
+    expect(Oidc.get('unknown-oidc-1679')).toBeNull();
+  });
+
+  it('Oidc.getOrThrow throws when configuration has not been initialized', () => {
+    expect(() => Oidc.getOrThrow('missing-oidc-1679')).toThrow(
+      /OIDC library does seem initialized/,
+    );
+  });
+});

package/src/oidcClient.ts

@@ -38,8 +38,28 @@ export class OidcClient {
       return new OidcClient(Oidc.getOrCreate(getFetch, location)(configuration, name));
     };
 
-  static get(name = 'default'): OidcClient {
-    return new OidcClient(Oidc.get(name));
+  /**
+   * Retrieve an existing {@link OidcClient} by configuration name.
+   *
+   * Since issue #1679, this method returns `null` when the requested
+   * configuration has not been initialized, instead of throwing. This
+   * allows React hooks to be used safely outside of `<OidcProvider>`.
+   *
+   * Use {@link OidcClient.getOrThrow} to preserve the previous fail-fast
+   * behaviour.
+   */
+  static get(name = 'default'): OidcClient | null {
+    const oidc = Oidc.get(name);
+    return oidc ? new OidcClient(oidc) : null;
+  }
+
+  /**
+   * Retrieve an existing {@link OidcClient}, throwing if it has not been
+   * initialized. Equivalent to the pre-#1679 behaviour of
+   * {@link OidcClient.get}.
+   */
+  static getOrThrow(name = 'default'): OidcClient {
+    return new OidcClient(Oidc.getOrThrow(name));
   }
 
   static eventNames = Oidc.eventNames;
@@ -64,6 +84,32 @@ export class OidcClient {
     return this._oidc.logoutAsync(callbackPathOrUrl, extras);
   }
 
+  /**
+   * Drops the local OIDC session (tokens, user info, service-worker storage)
+   * and notifies same-tab listeners via the `logout_from_same_tab` event,
+   * without contacting the identity provider's `end_session_endpoint` and
+   * without revoking tokens.
+   *
+   * Use this for SPA-only logouts, service-worker-only flows, or
+   * error-recovery paths. For a standard OIDC RP-initiated logout (with
+   * token revocation and navigation to the IdP's end-session endpoint) use
+   * {@link logoutAsync} instead.
+   */
+  clearSessionAsync(): Promise<void> {
+    return this._oidc.clearSessionAsync();
+  }
+
+  /**
+   * `true` while a logout flow is in progress: between the moment
+   * {@link logoutAsync} starts and the moment the browser navigates away to
+   * the identity provider's end-session endpoint. UI guards and silent-renew
+   * handlers should check this flag to avoid kicking off a new auth flow
+   * during that window.
+   */
+  get isLoggingOut(): boolean {
+    return this._oidc.isLoggingOut === true;
+  }
+
   silentLoginCallbackAsync(): Promise<void> {
     return this._oidc.silentLoginCallbackAsync();
   }

package/src/version.ts

@@ -1 +1 @@
-export default '7.27.15';
+export default '7.27.17';