BuildEndSessionURL called GetProvider, which unconditionally runs setOicdProvider -> oidc.NewProvider, a live HTTP GET of the OP's discovery document (with RetryWithBackoff). On every logout this is an unnecessary round-trip, and when the OP is unreachable the retries make /user/logout hang, defeating the "logout stays responsive" guarantee. The logout path only needs static fields already cached on the provider (EndSessionURL/LogoutURL/ClientID); it never touches the live openIDProvider/Oauth2Config. Add a cache-only getCachedProvider accessor (GetProvider without the trailing setOicdProvider) and have BuildEndSessionURL use it. Login/callback keep using GetProvider: token exchange and ID-token verification legitimately need the live-provider rehydration. |
||
|---|---|---|
| .. | ||
| ldap | ||
| oauth2server | ||
| openid | ||
| auth.go | ||
| auth_test.go | ||