OpenID-Connect: Support RP-Initiated Logout - Logout also from OIDC-Provider #2476

New issue

Open

opened 2026-02-20 01:12:08 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-20 01:12:08 -05:00

Owner

Originally created by @Timo-1979 on GitHub (Jan 28, 2026).

Confirmation

I checked this request against the roadmap and existing issues

What Problem Does This Solve and Why Is It Valuable?

I've configured to login into photoprism by KeyCloak (OIDC). But if I logout from photopism, I'll still logged in into KeyCloak (only the photoprism-session is killed, but not the KeyCloak-session).

I'm redirected to the login screen of photoprism and on the click to login via keycloak - I'm logged in again to photoprism - without enter any credentials.

The user must remember to logout manually from KeyCloak to be completely logged out.

What Solution Would You Like?

Add a Configuration-Parameter: PHOTOPRISM_OIDC_LOGOUT_URI

The flow should something the like this:

User clicks on "LogOut"
check session is a session logged in via oidc
phtotoprism-session will be destroyed
if session was using oidc login and PHOTOPRISM_OIDC_LOGOUT_URI was set:
- redirecto to url specified by PHOTOPRISM_OIDC_LOGOUT_URI
otherwise redirect to the photoprism login screen

What Alternatives Have You Considered?

Reverse-Proxy-Authentication (Needs to install a reverse-proxy, maybe install addional plugin(s) or use the oauth2-proxy and configure the reverse-proxy to redirect the correct request to that.
But this looks complex just for a home-lab.

Additional Context

Information about RP-Initiated Logout at openid.net

Originally created by @Timo-1979 on GitHub (Jan 28, 2026). ### Confirmation - [x] I checked this request against the roadmap and existing issues ### What Problem Does This Solve and Why Is It Valuable? I've configured to login into photoprism by KeyCloak (OIDC). But if I logout from photopism, I'll still logged in into KeyCloak (only the photoprism-session is killed, but not the KeyCloak-session). I'm redirected to the login screen of photoprism and on the click to login via keycloak - I'm logged in again to photoprism - without enter any credentials. The user must remember to logout manually from KeyCloak to be completely logged out. ### What Solution Would You Like? Add a Configuration-Parameter: PHOTOPRISM_OIDC_LOGOUT_URI The flow should something the like this: - User clicks on "LogOut" - check session is a session logged in via oidc - phtotoprism-session will be destroyed - if session was using oidc login and PHOTOPRISM_OIDC_LOGOUT_URI was set: - redirecto to url specified by PHOTOPRISM_OIDC_LOGOUT_URI - otherwise redirect to the photoprism login screen ### What Alternatives Have You Considered? Reverse-Proxy-Authentication (Needs to install a reverse-proxy, maybe install addional plugin(s) or use the oauth2-proxy and configure the reverse-proxy to redirect the correct request to that. But this looks complex just for a home-lab. ### Additional Context Information about [RP-Initiated Logout at openid.net](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout)