Hi Travis,

We use the OIDC plugin with a external IdD. This works great, except the the logout at the IdP does not take place, when the logout handler is called. I think it is caused by the fact that the ID token does not contain the session_state claim. https://github.com/travisghansen/external-auth-server/blob/master/src/plugin/oauth/index.js#L1515C39-L1515C39

In the code there is the comment TODO: this check may not be entirely needed/wanted . So my question is, can this condition be removed?

Regards, Dirk-Jan

Reading through some docs and rfcs I think it can be removed. It appears to me that field in the id token is not necessarily common (may be a keycloak-centric behavior) and has no direct tie to the logout functionality. It may be a hint the provider actually supports logout but otherwise seems to have no bearing on the logout process.

I can make the change when I get a moment or you are welcome to submit a PR I can merge.

Can you test using the next image tag? It’s a mutable tag so make sure your cluster pulls the newest revision.

Thanks, I've tested it. It's solves our logout issue.

I’ve just committed a small change in that same area of code. Can you pull the most recent next image and ensure everything still works as needed?

I've tested it. All seems to work fine.