feat: control sending id_token_hint in OIDC logout URL

[tusharpandey13]

Adds a new boolean configuration option to prevent potential PII exposure by allowing developers to exclude the id_token_hint parameter from OIDC logout URLs while maintaining logout functionality.
logout_hint and client_id are sent by default.

#2151 is related

• All new/changed/fixed functionality is covered by tests
• I have added documentation for all new/changed functionality

References

See OIDC Logout endpoint parameters

📋 Changes

This change adds a new configuration option includeIdTokenHintInOIDCLogoutUrl to exclude the id_token_hint parameter from logout URLs. Defaults true for backward compatibility.

Usage:

const auth0 = new Auth0Client({
  domain: 'your-domain.auth0.com',
  clientId: 'your-client-id',
  clientSecret: 'your-client-secret',
  includeIdTokenHintInOIDCLogoutUrl: false // Exclude id_token_hint for privacy
});

When set to false, only logout_hint (session ID) and client_id are included in OIDC logout URLs, preventing PII exposure while maintaining proper logout functionality.

• Changed src/server/client.ts: Added includeIdTokenHintInOIDCLogoutUrl property to Auth0ClientOptions interface with JSDoc documentation
• Changed src/server/auth-client.ts: Added property to AuthClientOptions interface and implemented conditional logic in createOIDCLogoutResponse
• Changed src/server/auth-client.test.ts: Added comprehensive test suite covering all scenarios including default behavior, explicit true/false values, and edge cases
• Changed src/server/logout-strategy.flow.test.ts: Added integration tests verifying the option works correctly with different logout strategies

🎯 Testing

Automated:
Added 7 new unit tests and 3 integration tests covering:

• Default behavior (includes id_token_hint when option not specified)
• Explicit true value (includes id_token_hint)
• Explicit false value (excludes id_token_hint but includes logout_hint)
• Edge case where session has no ID token
• Integration with different logout strategies (auto, oidc, v2)

Manual:

1. Configure Auth0 client with includeIdTokenHintInOIDCLogoutUrl: false
2. Perform logout with an active session
3. Verify logout URL contains logout_hint but not id_token_hint
4. Confirm logout still functions correctly (user is logged out)
5. Check server logs to verify no PII exposure through id_token_hint

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.36%. Comparing base (fe1f5e7) to head (6cdcf26).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2300      +/-   ##
==========================================
+ Coverage   85.34%   85.36%   +0.02%     
==========================================
  Files          26       26              
  Lines        2613     2617       +4     
  Branches      481      482       +1     
==========================================
+ Hits         2230     2234       +4     
  Misses        377      377              
  Partials        6        6              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.