Correct OIDC logout to properly support Keycloak

[teunis90]

Keycloak expects these two values:

post_logout_redirect_uri (and not redirect_uri)
id_token_hint (which is recommended by the spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html, but required by keycloak)

Tested on Keycloak version: 20.0.5

Fixes #1222

[AgentTNT]

If Local DB access is still enabled and a user goes to logout, they will hit an error as this value is not defined for their session

[teunis90]

@AgentTNT, can you reproduce the not-defined error? What do you suggest?

[AgentTNT]

if 'oidc_token' in session and oidc_logout: id_token_hint = session.get('oidc_token').get('id_token') redirect_uri = "{}?post_logout_redirect_uri={}&id_token_hint={}".format( oidc_logout, url_for('index.login', _external=True), id_token_hint)

This makes powerdns-admin redirect to the keycloak or other OIDC logout endpoint first, then get redirected back to the login page, fully logging out all OIDC session cookies within the browser whereas before the IDP was still staying signed in and not allowing users to login with new creds when clicking the OIDC login

[teunis90]

I'll update the PR with your suggestion.

[AzorianMatt]

@teunis90 the time is nearing quickly for me to make the final version release of this edition of PDA. If you would like to see this make it in, I would recommend getting that last change request implemented very soon. Thanks!

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further action is taken. Please see our Contribution Guide.

[github-actions]

This PR has been automatically closed due to lack of activity.