fix: logout SSO — redirige vers l'endpoint end_session d'AlpID

session.clear() seul ne déconnectait pas la session Keycloak,
provoquant une reconnexion automatique immédiate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/app.py

@@ -5,6 +5,8 @@ import threading
 from pathlib import Path
 from datetime import datetime
 
+from urllib.parse import urlencode
+
 from flask import (Flask, redirect, url_for, session, request,
                    render_template, abort, send_from_directory, jsonify)
 from authlib.integrations.flask_client import OAuth
@@ -27,6 +29,9 @@ oauth.register(
 ADMIN_GROUPS = set(os.environ.get("ADMIN_GROUPS", "admins").split(","))
 ADMIN_EMAILS = set(e.strip() for e in os.environ.get("ADMIN_EMAILS", "").split(",") if e.strip())
 ASSETS_ROOT  = Path(os.environ.get("ASSETS_ROOT", ".")).resolve()
+
+_alpid_base    = os.environ["ALPID_DISCOVERY_URL"].split("/.well-known/")[0]
+ALPID_LOGOUT_URL = _alpid_base + "/protocol/openid-connect/logout"
 STATS_FILE         = Path(os.environ.get("STATS_FILE",         "/opt/static-cdn/goaccess.html"))
 STATS_JSON         = Path(os.environ.get("STATS_JSON",         "/opt/static-cdn/goaccess.json"))
 STATS_LOG_FILE     = os.environ.get("STATS_LOG_FILE",     "")
@@ -159,13 +164,18 @@ def callback():
         "email":    email,
         "is_admin": is_admin,
     }
+    session["id_token"] = token.get("id_token", "")
     return redirect(session.pop("next_url", url_for("dashboard")))
 
 
 @app.route("/auth/logout")
 def logout():
+    id_token = session.get("id_token")
     session.clear()
-    return redirect(url_for("dashboard"))
+    params = {"post_logout_redirect_uri": url_for("dashboard", _external=True)}
+    if id_token:
+        params["id_token_hint"] = id_token
+    return redirect(ALPID_LOGOUT_URL + "?" + urlencode(params))
 
 
 # ── Dashboard ─────────────────────────────────────────────────────────