Add logout function for OpenIDConnect

Author: Stefan Weil

module/VuFind/src/VuFind/Auth/OpenIDConnect.php

@@ -272,6 +272,10 @@ public function authenticate($request): UserEntityInterface
 
         $accessToken = $request_token->access_token;
         $userInfo = $this->getUserInfo($accessToken);
+
+        // Store id_token in session for logout
+        $this->session->oidc_id_token = $request_token->id_token;
+
         return $this->setUserAttributes($userInfo);
     }
 
@@ -360,6 +364,40 @@ public function getSessionInitiator($target): bool|string
         return $this->getProvider()->authorization_endpoint . '?' . http_build_query($params);
     }
 
+    /**
+     * Perform cleanup at logout time.
+     *
+     * @param string $url URL to redirect user to after logging out.
+     *
+     * @return string Redirect URL (modified for OpenIDConnect logout).
+     */
+    public function logout($url)
+    {
+        $redirectUrl = $url;
+
+        // Retrieve id_token from session
+        $idToken = $this->session->oidc_id_token ?? null;
+        if ($idToken === null) {
+            $this->logWarning('No id_token found in session data');
+        } else {
+            // Get end_session_endpoint from provider
+            $provider = $this->getProvider();
+            if (empty($provider->end_session_endpoint)) {
+                $this->logWarning('No end_session_endpoint found in provider metadata');
+            } else {
+                $logoutUrl = $provider->end_session_endpoint;
+                $params = [
+                    'id_token_hint' => $idToken,
+                    'post_logout_redirect_uri' => $url,
+                ];
+                $redirectUrl = $logoutUrl . '?' . http_build_query($params);
+            }
+        }
+
+        // Send back the redirect URL (possibly modified):
+        return $redirectUrl;
+    }
+
     /**
      * Obtain an access token from a code.
      *