Sign out proxy app and then automatically the same with authentik

[iachaly]

Describe your question/
I'm testing authentik with traefik middleware. It works fine, thanks a lot BeryJu!
However, there is an important question about configuring the logout. In the standard configuration when executing outpost.goauthentik.io/sign_out there is no logout from authentik. It looks predictable when explicit authorization flow. For implicit it makes misleading:

To Reproduce
0. Login proxy app

1. Go to proxy app /outpost.goauthentik.io/sign_out
2. NOT Click on 'log out of authentik'
3. Go to another proxy app page
   As a result, we are automatically logged in again (of cause, we refresh traefik middleware and we see it when explicit).

My task requires that to happen proxy logout then automatically authentik logout. There is a solution with redirection to /flows/-/default/invalidation/ in web page... However, I would like best practice solution. Perhaps is there a hook or some modifying the flow?
Version and Deployment (please complete the following information):
Settings is standard configs. Domain-level proxy is configured. Authentik version 2022.7.3, traefik 2.6, docker-compose latest official repo.

Additional context
Similar case maybe #2023 and in my case I would like to automate the process discussed there #1113#issuecomment-874715284

[theyo-tester]

Hi !

First of all, thank you for the great piece of art @BeryJu !
and second, good to see that I'm not the only one struggling with the log out-issue 😅

Eventhough a call to /flows/-/default/invalidation/ would log out from authentik, it would log out from all other applications too! Because you can call the invalidation flow only on the Authentik subdomain, which is, of course, to be expected.

What I just discovered is, that even if I have defined two single app forward auth providers, I am automatically logged in on both apps if I just log in to one of it! But this is maybe the expected behavior if the user has been granted acces to both applications?

So this could mean that a single app log-in and -out is not even possible......? This would speak in some sense for the SSO definition.
But than I don't see the argument for "single app auth" vs. "domain level forward auth" or do I miss something here?

And let's say, that the /outpost.goauthentik.io/sign_out path is just the confirmation page for log-out, and not the final log out, than at least the Text on the logout page (You've logged out of <App Name>) should be modified, because it makes you believe that you are already logged out.

On the other hand, if only the log out of the whole Authentik is possible (atm at least), than this should be clearly specified somewhere. A single app log-out option for this matter is useless (if not even confusing) in the first place. Sorry, I don't want to seem harsh when I share my thoughts on this, I just want for Authentik to get better, because it has a lot of potential :)

Given that my assumptions true, of course. Maybe I've missed something.....🤔

BR
Teo

[ksaadDE]

Opened a discussion on this #9737