From b1020062b02dbfa11695528901baa40bf94da43a Mon Sep 17 00:00:00 2001
From: Alpinux <cedric.abonnel@gmail.com>
Date: Sun, 3 May 2026 20:43:10 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20logout=20SSO=20=E2=80=94=20redirige=20ve?=
 =?UTF-8?q?rs=20l'endpoint=20end=5Fsession=20d'AlpID?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

session.clear() seul ne déconnectait pas la session Keycloak,
provoquant une reconnexion automatique immédiate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/app.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/app.py b/app/app.py
index 586a2fc..7fb7b9b 100644
--- a/app/app.py
+++ b/app/app.py
@@ -5,6 +5,8 @@ import threading
 from pathlib import Path
 from datetime import datetime
 
+from urllib.parse import urlencode
+
 from flask import (Flask, redirect, url_for, session, request,
                    render_template, abort, send_from_directory, jsonify)
 from authlib.integrations.flask_client import OAuth
@@ -27,6 +29,9 @@ oauth.register(
 ADMIN_GROUPS = set(os.environ.get("ADMIN_GROUPS", "admins").split(","))
 ADMIN_EMAILS = set(e.strip() for e in os.environ.get("ADMIN_EMAILS", "").split(",") if e.strip())
 ASSETS_ROOT  = Path(os.environ.get("ASSETS_ROOT", ".")).resolve()
+
+_alpid_base    = os.environ["ALPID_DISCOVERY_URL"].split("/.well-known/")[0]
+ALPID_LOGOUT_URL = _alpid_base + "/protocol/openid-connect/logout"
 STATS_FILE         = Path(os.environ.get("STATS_FILE",         "/opt/static-cdn/goaccess.html"))
 STATS_JSON         = Path(os.environ.get("STATS_JSON",         "/opt/static-cdn/goaccess.json"))
 STATS_LOG_FILE     = os.environ.get("STATS_LOG_FILE",     "")
@@ -159,13 +164,18 @@ def callback():
         "email":    email,
         "is_admin": is_admin,
     }
+    session["id_token"] = token.get("id_token", "")
     return redirect(session.pop("next_url", url_for("dashboard")))
 
 
 @app.route("/auth/logout")
 def logout():
+    id_token = session.get("id_token")
     session.clear()
-    return redirect(url_for("dashboard"))
+    params = {"post_logout_redirect_uri": url_for("dashboard", _external=True)}
+    if id_token:
+        params["id_token_hint"] = id_token
+    return redirect(ALPID_LOGOUT_URL + "?" + urlencode(params))
 
 
 # ── Dashboard ─────────────────────────────────────────────────────────