Support for OIDC Logout URL Generation

[arhea]

OIDC and other SSO integrations support redirecting the user or calling a logout endpoint. Often, an enterprise requirement is to log the user completely out of the application and the identity provider to meet security requirements.

For example, if the user authenticates with OIDC to your application, then logs out of your application. Simply clicking login again, the user will likely not be prompted to sign in to the identity provider again and be automatically logged back in.

To combat this, OIDC implemented RP-Initiated Logout, which allows applications to send the user on logout to the Idp to be completed logged out.

This request is to add GetLogoutURL in the same style as the GetAuthorizationURL API that would build the URL for logging out the user. This method is needed because it requires access to the Well-Known config which is not readily available in the client (it can be done but requires extra code).

Ideally, the SDK would work as follows:

logoutURL, err := client.GetLogoutURL(opts GetLogoutURLOpts{
    RedirectUri: "", // required, where to land after logging out
    State: "", // optional, optional state parameter for the client
    Locale: "", // optional, hint to language of the user
}) 

The API would already know the Client ID and ID Token which are required by OIDC.

[yagupta]

++ same problem

[johnpudd-ec]

Same here. Without the ability to sign out of the provider, the user never really completes a logout. Although the session maybe ended, the next time the user tries to login, they are automatically logged in with whichever account they used last time.

The user needs to be able to logout fully, and have the option to select a different account the next time they click login.