[Feature] Implement OIDC RP-Initiated Logout (end-session endpoint) #2978
Description
Is your feature request related to a problem? Please describe.
If you are currently logged in via OIDC and click on logout, only the current RomM session is deleted and the user is only logged out of RomM. Since the logout URL, which sends feedback to the OIDC provider, is not called, the subsequent flows cannot be started, such as redirecting to another page or logging the user out of the OIDC provider. This means that other users on the same PC can gain unauthorized access to the user's apps if they forget to log out of the OIDC provider separately.
Describe the solution you'd like
The RP-Initiated Logout (end-session endpoint) should be added, so that the OIDC provider is informed of the logout and can execute any invalidation flows.
In my opinion, this requires that when the user clicks on “logout,” not only is the session token deleted, but a check is also performed to ensure that if OpenID is active and an OpenID session exists from the user's login, the “end-session” URL is called so that the OIDC provider knows that the user has logged out.
The option should have another env bool, which must be set to True, as I do not know how other OIDC providers handle this, since I use Authentik myself and can adapt the invalidation flow relatively easily to my needs there.
OIDC_RP_INITIATED_LOGOUT: (bool) to activate/deactivate.
OIDC_END_SESSION_ENDPOINT: (string) url to end the session e.g. "https://auth.mydomain/application/o/romm/end-session/"
Describe alternatives you've considered
Additional context
In the picture below you can see the logout out of bookstack, which i have configured with oidc.
The Logout is called, i get redirectet to authentik /end-session/ and authentik starts the logout flow i set up.
