providers/oauth: post_logout_redirect_uri support

[PeshekDotDev]

Details

This adds proper support for post_logout_redirect_uri with oidc logouts while largely improving the way we interact with RP's during rp-initiated logout. With this, we will:

Validate the post_logout_redirect_uri
Send a logout notification back to the rp via frontchannel or backchannel if properly configured on the provider
Delete the access token for the provider
Redirect you to the post_logout_redirect_uri location

closes #10430
closes #19201

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	9f1fbfe
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69b37dfcd7d59000088860cf
😎 Deploy Preview	https://deploy-preview-20011--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	149e05a
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/699d421384545a0008d83d0d
😎 Deploy Preview	https://deploy-preview-20011--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	0535430
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/699d420b9a2e6c0008f6528e
😎 Deploy Preview	https://deploy-preview-20011--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 77.72021% with 43 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.42%. Comparing base (7d3aca9) to head (9f1fbfe).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
authentik/flows/stage.py	25.00%	18 Missing ⚠️
authentik/providers/oauth2/utils.py	13.33%	13 Missing ⚠️
authentik/providers/oauth2/views/end_session.py	84.00%	8 Missing ⚠️
authentik/providers/oauth2/signals.py	33.33%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20011      +/-   ##
==========================================
- Coverage   93.45%   93.42%   -0.04%     
==========================================
  Files         991      992       +1     
  Lines       55948    56112     +164     
==========================================
+ Hits        52285    52420     +135     
- Misses       3663     3692      +29     

Flag	Coverage Δ
conformance	37.45% <18.65%> (-0.07%)	⬇️
e2e	42.98% <27.97%> (-0.06%)	⬇️
integration	22.22% <9.84%> (-0.05%)	⬇️
unit	91.60% <76.68%> (-0.01%)	⬇️
unit-migrate	91.69% <76.68%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9f1fbfec7a94175d4a3a159220b75ce3341d83c6
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-9f1fbfec7a94175d4a3a159220b75ce3341d83c6

Afterwards, run the upgrade commands from the latest release notes.

[mohammad-rj]

We've been struggling with this for a while — post_logout_redirect_uri was completely ignored after RP-Initiated Logout, causing Authentik to fall back to the default authentication flow instead of redirecting back to the application.

After applying this patch via volume mount on 2026.2.0, the full logout flow finally works as expected:

1. User logs out of Gitea
2. nginx relays to Authentik's end-session endpoint with post_logout_redirect_uri
3. Authentik clears the session (UserLogoutStage) and redirects back to Gitea's login page
4. Next login requires full re-authentication — no silent auto-approve

One thing worth noting: the patch introduces RedirectURIType.LOGOUT to distinguish logout redirect URIs from authorization ones. Existing redirect_uris entries default to authorization type, so any post_logout_redirect_uri you want to allow must be explicitly set to logout type. This isn't documented anywhere yet — would be good to call it out in the release notes or admin UI.

Thanks for pushing this forward. This is a real gap that affects anyone using RP-Initiated Logout with OIDC clients.