Be able to call logout on the OIDC provider

doc/integrator/authentication_oidc.rst

@@ -80,6 +80,8 @@ Other options
 
 ``client_secret``: The secret of the client.
 
+``logout``: If ``true``, the logout is called on the OIDC provider, default is ``false``.
+
 ``trusted_audiences``: The list of trusted audiences, if the audience provided by the id-token is not in
   this list, the ``ID token`` will be rejected.
 

geoportal/c2cgeoportal_geoportal/scaffolds/update/{{cookiecutter.project}}/geoportal/CONST_config-schema.yaml

@@ -241,6 +241,9 @@ mapping:
                 type: seq
                 sequence:
                   - type: str
+              logout:
+                type: bool
+                default: false
               provide_roles:
                 type: bool
                 default: false

geoportal/c2cgeoportal_geoportal/views/login.py

@@ -38,6 +38,7 @@
 import pyotp
 import pyramid.request
 import pyramid.response
+import requests
 from pyramid.httpexceptions import (
     HTTPBadRequest,
     HTTPForbidden,
@@ -298,6 +299,15 @@ def logout(self) -> pyramid.response.Response:
                 client.revoke_token(user_info["access_token"])
                 if user_info.get("refresh_token") is not None:
                     client.revoke_token(user_info["refresh_token"])
+            if self.authentication_settings.get("openid_connect", {}).get("logout", False):
+                response = requests.get(client.initiate_logout(), auth=client.client_auth)
+                if not response.ok:
+                    _LOG.error(
+                        "Error during logout from OpenID Connect, code %s %s:\n%s",
+                        response.status_code,
+                        response.reason,
+                        response.text,
+                    )
 
         headers = forget(self.request)