Add logout redirect

ZohebShaikh · ZohebShaikh · commit 23f8ae24c22f · 2025-08-14T15:56:29.000+01:00
diff --git a/docs/how-to/authenticate.md b/docs/how-to/authenticate.md
@@ -63,3 +63,9 @@ To log out and securely remove the cached access token, follow these steps:
    ```
    Logged out
    ```
+
+
+> [!NOTE]
+> The login and logout instructions above apply to the CLI. If you are using `oauth2-proxy` to secure the Swagger
+> UI documentation page, you can log out by visiting the `/logout` URL. For other OIDC providers, update the 
+> `oidc.logout_redirect_endpoint` configuration to the appropriate logout endpoint.
diff --git a/src/blueapi/config.py b/src/blueapi/config.py
@@ -162,6 +162,9 @@ class OIDCConfig(BlueapiBaseModel):
     )
     client_id: str = Field(description="Client ID")
     client_audience: str = Field(description="Client Audience(s)", default="blueapi")
+    logout_redirect_endpoint: str = Field(
+        description="The oidc endpoint required to logout", default="/oauth2/sign_out"
+    )
 
     @cached_property
     def _config_from_oidc_url(self) -> dict[str, Any]:
diff --git a/src/blueapi/service/main.py b/src/blueapi/service/main.py
@@ -17,6 +17,7 @@
     status,
 )
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2AuthorizationCodeBearer
 from observability_utils.tracing import (
     add_span_attributes,
@@ -534,6 +535,18 @@ def health_probe() -> HealthProbeResponse:
     return HealthProbeResponse(status=Health.OK)
 
 
+@secure_router.get("/logout", status_code=status.HTTP_200_OK, include_in_schema=False)
+def logout(runner: Annotated[WorkerDispatcher, Depends(_runner)]) -> RedirectResponse:
+    """Redirect to logout url"""
+    config = runner.run(interface.get_oidc_config)
+    if config is None:
+        raise HTTPException(status_code=status.HTTP_204_NO_CONTENT)
+    return RedirectResponse(
+        url=config.logout_redirect_endpoint,
+        headers={"X-Auth-Request-Redirect": config.end_session_endpoint},
+    )
+
+
 @start_as_current_span(TRACER, "config")
 def start(config: ApplicationConfig):
     import uvicorn

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,9 @@ class OIDCConfig(BlueapiBaseModel):`
`162`	`162`	`)`
`163`	`163`	`client_id: str = Field(description="Client ID")`
`164`	`164`	`client_audience: str = Field(description="Client Audience(s)", default="blueapi")`
	`165`	`+ logout_redirect_endpoint: str = Field(`
	`166`	`+ description="The oidc endpoint required to logout", default="/oauth2/sign_out"`
	`167`	`+ )`
`165`	`168`
`166`	`169`	`@cached_property`
`167`	`170`	`def _config_from_oidc_url(self) -> dict[str, Any]:`