OIDC RP-Initiated Logout endpoint Broken

[prohtex]

Describe the bug

The OIDC RP-Initiated Logout endpoint (/application/o//end-session/) is completely non-functional. It does not:

1. Invalidate the session - After hitting end-session, subsequent requests still show the user as authenticated
2. Create a logout event - No logout event appears in the events log
3. Honor post_logout_redirect_uri - Displays static "Logout successful" page regardless of valid redirect URI
4. Execute the invalidation flow - The configured default-provider-invalidation-flow is never triggered

How to reproduce

1. Log out
2. Plain page "Logout successful"
3. USER STILL LOGGED IN

• Static HTML page saying "Logout successful"
• Session remains valid
• No redirect
• No logout event

Expected behavior

• Session should be invalidated
  • User should be redirected to post_logout_redirect_uri if it matches registered redirect URIs
  • Logout event should be created

Screenshots

No response

Additional context

No response

Deployment Method

Docker

Version

2025.10.3

Relevant log output

Request to end-session:
  GET /application/o/<app>/end-session/?id_token_hint=<token>&post_logout_redirect_uri=https://myapp.example.com/
  status: 200
  user: "testuser"

  Immediately after, next request:
  user: "testuser"  ← still authenticated

  No logout event created. Compare to standard invalidation flow which correctly creates:
  {"action": "logout", "path": "/api/v3/flows/executor/default-invalidation-flow/"}

[PeshekDotDev]

Currently, this is intentional. However, we are exploring the possibility of implementing this as soon as within the next couple weeks

[prohtex]

Currently, this is intentional. However, we are exploring the possibility of implementing this as soon as within the next couple weeks

Intentional to not actually log the users out? None of my OCIS users can log out!

[PeshekDotDev]

Can you give me a breakdown of the situation? Our first thought is what users can still log out directly through authentik on the end session page and trigger OP/IDP initiated logout, so the functionality is still the same, it just requires one more button press

[PeshekDotDev]

Apologies @prohtex, it should be possible to add the user logout stage to the invalidation flow connected to your application and you should receive full single logout when logging out of that application. Is that the result you were looking for?

[prohtex]

Apologies @prohtex, it should be possible to add the user logout stage to the invalidation flow connected to your application and you should receive full single logout when logging out of that application. Is that the result you were looking for?

Hi @PeshekDotDev, thanks so much, can you provide any pointers for this? The app is OwnCloud/OCIS. Thank you.