Missing OIDC Logout Support — Postal cannot perform SSO logout (Keycloak/OIDC) #3490
Description
Summary
Postal supports OpenID Connect login, but there is no implementation for OIDC logout.
After reviewing the official documentation, the config file, and the Postal source code,
there is no option related to:
- OIDC logout
- end_session_endpoint
- post_logout_redirect_uri
- id_token_hint
- global SSO logout
As a result, Postal logs the user out locally only, and does not end the session at the Identity Provider (Keycloak in my case).
Impact
Users who click "Logout" in Postal:
- remain logged in on the identity provider (Keycloak),
- can immediately re-login without entering credentials,
- cannot terminate their SSO session,
- experience broken/partial SSO behavior.
This is a security and UX problem for all OIDC setups.
Expected behavior
Postal should support OIDC RP-Initiated Logout by:
- Reading the
end_session_endpointfrom OIDC discovery. - Redirecting users to:
end_session_endpoint?post_logout_redirect_uri=…&id_token_hint=…
- Allowing configuration such as:
oidc:
rp_logout_enabled: true
post_logout_redirect_uri: https://postal.xxxxxx.com
Why this matters
- All major IdPs (Keycloak, Azure AD, Auth0, Okta, Google) rely on RP-Initiated Logout.
- Postal cannot be properly integrated into enterprise SSO without this.
- Session security and compliance require full logout across all apps.
Environment
- Postal version: latest / master
- Deployment: Kubernetes + OIDC (Keycloak)
- OIDC Provider: Keycloak 24+
Request
Please add OIDC logout support (RP-Initiated Logout).
I can help test any PR or development build.