Rethink Logouts

[bellebaum]

Omejdn offers an endpoint /logout accepting GET and POST requests, as well as a request parameter post_logout_redirect_uri. This bears some similarities to the end_session_endpoint defined in OIDC RP-Initiated Logout.
However, where RPIL has at least some security built in with regards to several attacks, including

• Using the OP as an open redirector, and
• Involuntarily logging out the user from arbitrary services,

Omejdn has none. In fact, Omejdn is simply deleting the user's login session before redirecting the user back to whatever URL was passed as a parameter.

Going with the terminology of the above draft, a user thinks of "logging out at a RP" as revoking any access rights of an RP via the OP. This is trickier than implementing RPIL, since RPIL only covers OpenID Sessions (to log out, a RP will send an id_token_hint) and a user will likely want to be able to revoke access of arbitrary OAuth capable services, likely via an Omejdn GUI. This in turn requires proper token revocation and optionally a method to notify OIDC RPs (such as OIDC Front/Backchannel Logout).

For the time being, the following should be implemented:

• OIDC RPIL as open-redirect protection.
• A logout confirmation page

[bellebaum]

The immediate changes have been implemented in #57