In current kong-oidc plugin version the configuration property redirect_after_logout_uri is masking end_session_endpoint property value obtained with discovery mechanism.
In usual OIDC flow, the RP acquires this OP endpoint via OIDC discovery mechanism where it should be available as end_session_endpoint. When logout is initiated from RP, this endpoint is used to terminate any relevant session with OP as well. But because of this bug, OP logout endpoint cannot be obtained and used in proper way. The purpose of redirect_after_logout_uri should be to provide OP logout endpoint for OP implementations that are lacking discovery mechanism or missing end_session_endpoint in discovery data.
All this being said, the issue here is that purpose of configuration property redirect_after_logout_uri is probably being mixed with post_logout_redirect_uri which is the redirect endpoint the OP should redirect user agent to after successful OP logout.
In current kong-oidc plugin version the configuration property
redirect_after_logout_uriis maskingend_session_endpointproperty value obtained with discovery mechanism.In usual OIDC flow, the RP acquires this OP endpoint via OIDC discovery mechanism where it should be available as
end_session_endpoint. When logout is initiated from RP, this endpoint is used to terminate any relevant session with OP as well. But because of this bug, OP logout endpoint cannot be obtained and used in proper way. The purpose ofredirect_after_logout_urishould be to provide OP logout endpoint for OP implementations that are lacking discovery mechanism or missingend_session_endpointin discovery data.All this being said, the issue here is that purpose of configuration property
redirect_after_logout_uriis probably being mixed withpost_logout_redirect_uriwhich is the redirect endpoint the OP should redirect user agent to after successful OP logout.relevant lua-resty-openidc code relevant lua-resty-opeindc discussion relevant oidc specification document