From 6f9294dc1e17f528f7d9d60b26aa9cb7ba530495 Mon Sep 17 00:00:00 2001
From: aymericcousaert <acousaert@blueway.fr>
Date: Fri, 27 Mar 2026 16:23:31 +0100
Subject: [PATCH] feat: support oidc rp-initiated logout in session

Handle endSessionUrl from simple-directory DELETE /auth/ response.
When present, redirect to the SSO end_session_endpoint to terminate
the provider session. Falls back to existing behavior for non-OIDC users.
---
 packages/vue/session.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/vue/session.ts b/packages/vue/session.ts
index dbe62db..7efb8f1 100644
--- a/packages/vue/session.ts
+++ b/packages/vue/session.ts
@@ -310,14 +310,19 @@ export async function getSession (initOptions: Partial<SessionOptions>): Promise
     goTo(loginUrl(redirect, extraParams, immediateRedirect))
   }
   const logout = async (redirect?: string) => {
-    await customFetch(`${options.directoryUrl}/api/auth`, { method: 'DELETE' })
+    const response = await customFetch(`${options.directoryUrl}/api/auth`, { method: 'DELETE' }) as { endSessionUrl?: string } | undefined
     // sometimes server side cookie deletion is not applied immediately in browser local js context
     // so we do it here to
     cookies.remove('id_token')
     cookies.remove('id_token_org')
     cookies.remove('id_token_dep')
     cookies.remove('id_token_role')
-    goTo(redirect ?? options.logoutRedirectUrl ?? null)
+    // RP-Initiated Logout: if the server returned an endSessionUrl, redirect to the SSO logout
+    if (response?.endSessionUrl) {
+      goTo(response.endSessionUrl)
+    } else {
+      goTo(redirect ?? options.logoutRedirectUrl ?? null)
+    }
   }
 
   const switchOrganization = (org: string | null, dep?: string, role?: string, updateState = true) => {