Confirmation

• I checked this request against the roadmap and existing issues

What Problem Does This Solve and Why Is It Valuable?

I've configured to login into photoprism by KeyCloak (OIDC). But if I logout from photopism, I'll still logged in into KeyCloak (only the photoprism-session is killed, but not the KeyCloak-session).

I'm redirected to the login screen of photoprism and on the click to login via keycloak - I'm logged in again to photoprism - without enter any credentials.

The user must remember to logout manually from KeyCloak to be completely logged out.

What Solution Would You Like?

Add a Configuration-Parameter: PHOTOPRISM_OIDC_LOGOUT_URI

The flow should something the like this:

• User clicks on "LogOut"
• check session is a session logged in via oidc
• phtotoprism-session will be destroyed
• if session was using oidc login and PHOTOPRISM_OIDC_LOGOUT_URI was set:
  • redirecto to url specified by PHOTOPRISM_OIDC_LOGOUT_URI
• otherwise redirect to the photoprism login screen

What Alternatives Have You Considered?

Reverse-Proxy-Authentication (Needs to install a reverse-proxy, maybe install addional plugin(s) or use the oauth2-proxy and configure the reverse-proxy to redirect the correct request to that.
But this looks complex just for a home-lab.

Additional Context

Information about RP-Initiated Logout at openid.net