Enhancement: Add OIDC Logout Redirect

[nagug]

What happened?

Issue Description:
A potential security vulnerability is observed in the logout process when using LibreChat with Authentik as the authentication provider. The current logout flow does not properly terminate the user's Authentik session or giving an option to terminate the session, posing potential risks.

Expected Workflow:

1. User initiates logout.
2. Application logs out the user.
3. Redirects to auth.domain.com/if/flow/default-provider-invalidation-flow.

User is given clear options to either log out of Authentik or return to the application, ensuring their session is fully terminated if they choose.

Current Workflow:

User initiates logout.

1. Application logs out the user.
2. Redirects to https://librechat-domain/login..
3. Upon attempting to log in using OIDC (Authentik), the user is authenticated without requiring credentials, indicating an active session remains.

Potential Security Risks:

Session Persistence: The Authentik session remains active post-application logout, allowing potential unauthorized access if the user doesn't explicitly log out. (User might not be aware of this)
Public Computer Exposure: Users on public devices may close the browser, unaware their session persists, risking data security.
Unrestricted Access: Subsequent logins occur without credentials, bypassing essential security checks.

Impact:
This could lead to unauthorized access, especially in shared environments. The lack of explicit redirect to Authentik could be potentially dangerous.

Steps to Reproduce

1. Setup OIDC only authentication using Authentik (might be the same for other as well is my guess)
2. Application logs out the user
3. Redirects to https://librechat-domain/login.
4. Upon attempting to log in using OIDC (Authentik), the user is authenticated without requiring credentials, indicating an active session remains.

I have given screenshots for expected redirection and current.

What browsers are you seeing the problem on?

No response

Relevant log output

Screenshots

This is current redirection on logout from Librechat

This is Expected redirection on logout (Observed in other applications such as audiobookshelf, Freshnews etc.)

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Thank you for your detailed report and bringing this to my attention. However, I want to clarify that this is actually the expected behavior with OIDC (OpenID Connect) and not a vulnerability. What you're describing is standard single sign-on (SSO) functionality.

Let me explain why:

1. This is a core feature of SSO systems:

   • When you log out of LibreChat, you're only logging out of LibreChat specifically
   • The Authentik (IDP) session intentionally remains active to maintain SSO capabilities across multiple applications

2. This behavior is similar to how Google Sign-In and other major SSO providers work:

   • For example, logging out of a Google-connected application doesn't log you out of Google itself
   • You need to explicitly log out of Google if you want to terminate the master session

However, you raise two valid points that we can consider improving:

1. For shared computers, we should better communicate that users need to log out of OIDC (Authentik) as well
2. I've marked this as an "Enhancement" request, since it could be an option to redirect the user to logout of OIDC

[danny-avila]

Doing more research on this, it's possible end_session_endpoint can be utilized if provided by issuer and I'm continuing to research examples.

[nagug]

Valid point regarding google. But whe using less used OIDC providers, user might no remember this.

Regarding the propose solution.
IMO end_session_endpoint is the right approach for this. That ensures the session ending is also being handed over to the session initiation system (if i can say so)

[danny-avila]

@nagug I'm working on something for this, hope to finish it today

[danny-avila]

#5626