Add support for front-channel OIDC logout

[anderius]

The current implementation relies on cookies for front-channel logout. As noted in the spec, this is increasingly problematic, as modern browsers will not send cookies with content in an iframe.

The solution is either to use back-channel logout (which my IdP does not support), or use the sid parameter from the id-token as a session identifier, as is optional in the spec.

My feature request is that this oidc-implementation supports the sid parameter for front-channel logout.

[route443]

As I understand it, what you are asking for is a front-channel logout implementation, but we support only RP-initiated OIDC logout (see PR #96 ). The difference is that in the case of front-channel logout, the initiator is the IdP, and logout is performed through an iframe mechanism, relying on sid rather than authentication cookies (auth_token). I think we could add support for both back- and front-channel logouts, but it might be quite challenging, as we currently use auth_token as the key for tokens, and obtaining cookies based on, say, sid is not feasible. I’ll think about what can be done.

[anderius]

@route443 Our initial idea was to create a keyval map on login, from sid to auth_token. Then we could fetch auth_token from sid on logout, and create a sub-request with auth_token set. Would that not work?