feat(OIDC): add support for end_session for V2 tokens (#6226)

This PR adds support for the OIDC end_session_endpoint for V2 tokens. Sending an id_token_hint as parameter will directly terminate the underlying (SSO) session and all its tokens. Without this param, the user will be redirected to the Login UI, where he will able to choose if to logout.
2025-08-12 00:27:31 +00:00 · 2023-07-19 13:17:39 +02:00
parent 1e5fd2f66e
commit 59f3c328ec
13 changed files with 358 additions and 100 deletions
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -42,6 +42,7 @@ type Config struct {
 	CustomEndpoints                   *EndpointConfig
 	DeviceAuth                        *DeviceAuthorizationConfig
 	DefaultLoginURLV2                 string
+	DefaultLogoutURLV2                string
 }

 type EndpointConfig struct {
@@ -67,6 +68,7 @@ type OPStorage struct {
 	eventstore                        *eventstore.Eventstore
 	defaultLoginURL                   string
 	defaultLoginURLV2                 string
+	defaultLogoutURLV2                string
 	defaultAccessTokenLifetime        time.Duration
 	defaultIdTokenLifetime            time.Duration
 	signingKeyAlgorithm               string
@@ -184,6 +186,7 @@ func newStorage(config Config, command *command.Commands, query *query.Queries,
 		eventstore:                        es,
 		defaultLoginURL:                   fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
 		defaultLoginURLV2:                 config.DefaultLoginURLV2,
+		defaultLogoutURLV2:                config.DefaultLogoutURLV2,
 		signingKeyAlgorithm:               config.SigningKeyAlgorithm,
 		defaultAccessTokenLifetime:        config.DefaultAccessTokenLifetime,
 		defaultIdTokenLifetime:            config.DefaultIdTokenLifetime,