On OIDC logout Vikunja redirected to the configured `logouturl` with no query
parameters, so it never sent `id_token_hint` or `post_logout_redirect_uri`.
RP-Initiated-Logout-compliant providers (e.g. PocketID) then ignored the
post-logout redirect and left the user on the IdP's own login page.
This builds the end-session URL server-side from the OpenID Connect
RP-Initiated Logout 1.0 spec:
- id_token_hint (§2, RECOMMENDED): the ID token previously issued to the
session. It lets the OP skip the logout-confirmation prompt and is what makes
the OP honor post_logout_redirect_uri (the OP MAY require it, §3).
- post_logout_redirect_uri (§2, OPTIONAL): where the OP redirects after logout.
MUST be pre-registered with the OP. Defaults to service.publicurl so the user
lands back on Vikunja.
- client_id (§2, OPTIONAL): the RP client id; the OP verifies it matches the
id_token_hint.
The end_session_endpoint is discovered from the provider's discovery document
(§2.1, REQUIRED metadata) and falls back to the static `logouturl` config when
the provider does not publish one.
To replay id_token_hint, the raw ID token (and the provider key) are persisted
on the session at the OIDC callback (new migration adds oidc_id_token /
oidc_provider_key columns to the sessions table). At logout the server reads
them, builds the URL, deletes the session, and returns the URL in the logout
response so the frontend redirects to it.
Security note: the raw ID token is stored at rest in the sessions table
(json:"-", never exposed over the API) and removed when the session is deleted
on logout.
Spec: OpenID Connect RP-Initiated Logout 1.0
https://openid.net/specs/openid-connect-rpinitiated-1_0.htmlFixes#2820