OIDC Provider: end_session_endpoint

[candlerb]

Is your feature request related to a problem? Please describe. (This is regarding the Vault OIDC provider in technical preview in 1.9)

The metadata returned by the .well-known/openid-configuration URL does not return an end_session_endpoint. This suggests that Vault doesn't not support a way to end the session, i.e. "log out"

Users may log out of a local application by clearing its session cookie, but as soon as they touch the application again, it will redirect them to Vault and log them back in again, with no confirmation or other interaction.

Describe the solution you'd like Vault to support OIDC session management and discovery of this.

If there's already an end_session endpoint, but it's not in the discovery data, then I couldn't find it in the documentation.

Describe alternatives you've considered n/a

Explain any additional use-cases n/a

Additional context n/a

[austingebauer]

@candlerb - Thanks for the FR! You're correct that we currently don't implement the session management spec. There may be other mechanisms you can use to force an active re-authentication (e.g., max_age, prompt=login) as a stopgap. We'll consider what it'd take to add this session management capability.

[CIMARoger]

as far as I can tell, you can't force those mechanisms into the exchange, unless you're manually constructing an api call (and even then, I'm not positive).