Signout should end auth server session when using well known endpoint

[pdevito3]

Currently, when setting up next-auth with OIDC with a code flow using PKCE, I can to do something like this:

export const authOptions: NextAuthOptions = {
  providers: [
    {
      id: "myKey",
      name: "Paul's Key",
      type: "oauth",
      wellKnown: "http://localhost:3255/auth/realms/DevRealm/.well-known/openid-configuration",
      authorization: { params: { scope: "openid email profile recipe_management" } },
      idToken: true,
      checks: ["pkce", "state"],
        clientId: "recipe_management.next",
        clientSecret: "myguid",
      profile(profile) {
        return {
          id: profile.sub,
          name: profile.name,
          email: profile.email,
          image: profile.picture,
        }
      },
    }
  ],
  theme: {
    colorScheme: "light",
  },
}

This is fine as a base, but in practice you really need more to be able to use this. For instance, logging out does not end your session from your auth server and you need to update it to something more like this:

export const authOptions: NextAuthOptions = {
  // https://next-auth.js.org/configuration/providers/oauth
  providers: [
    {
      id: "myKey",
      name: "Paul's Key",
      type: "oauth",
      wellKnown: "http://localhost:3255/auth/realms/DevRealm/.well-known/openid-configuration",
      authorization: { params: { scope: "openid email profile recipe_management" } },
      idToken: true,
      checks: ["pkce", "state"],
        clientId: "recipe_management.next",
        clientSecret: "974d6f71-d41b-4601-9a7a-a33081f82188",
      profile(profile) {
        return {
          id: profile.sub,
          name: profile.name,
          email: profile.email,
          image: profile.picture,
        }
      },
    }
  ],
  events: {
    async signOut({token}) {
      var refreshToken = token.refreshToken
      let headers = { "Content-Type": "application/x-www-form-urlencoded" };
      try {
        await axios.post("http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/logout",
        querystring.stringify({
          refresh_token: refreshToken,
          client_secret: 'myguid',
          client_id: 'recipe_management.next',
      }),
          { headers },
        );
      } catch (e) { }
    },
  },
  theme: {
    colorScheme: "light",
  },
  callbacks: {
    async jwt({ token, user, account }) {
      // Initial sign in
      if (account && user) {
        return {
          accessToken: account.access_token,
          accessTokenExpires: Date.now() + account.expires_at * 1000,
          refreshToken: account.refresh_token,
          user,
        }
      }

      // Return previous token if the access token has not expired yet
      if (Date.now() < token.accessTokenExpires) {
        return token
      }

      // Access token has expired, try to update it
      return refreshAccessToken(token)
    },
    async session({ session, token }) {
      session.user = token.user
      session.accessToken = token.accessToken
      session.error = token.error

      return session
    },
  },
}

async function refreshAccessToken(token) {
  try {
    const url =
      "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token?" +
      new URLSearchParams({
        client_secret: 'myguid',
        client_id: 'recipe_management.next',
        grant_type: "refresh_token",
        refresh_token: token.refreshToken,
      })

    const response = await fetch(url, {
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      method: "POST",
    })

    const refreshedTokens = await response.json()

    if (!response.ok) {
      throw refreshedTokens
    }

    return {
      ...token,
      accessToken: refreshedTokens.access_token,
      accessTokenExpires: Date.now() + refreshedTokens.expires_at * 1000,
      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken, // Fall back to old refresh token
    }
  } catch (error) {
    console.log(error)

    return {
      ...token,
      error: "RefreshAccessTokenError",
    }
  }
}

I would think when using a well known provider, you could just use it to get the end_session_endpoint and call that automatically at signout without all this boilerplate.

Ex well known:

{
"issuer": "http://localhost:3255/auth/realms/DevRealm",
"authorization_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:openid:params:grant-type:ciba"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"request_object_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt"
],
"registration_endpoint": "http://localhost:3255/auth/realms/DevRealm/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"authorization_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": true,
"scopes_supported": [
"openid",
"profile",
"address",
"microprofile-jwt",
"phone",
"email",
"recipe_management",
"offline_access",
"web-origins",
"roles"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": [
"poll",
"ping"
],
"backchannel_authentication_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/ciba/auth",
"backchannel_authentication_request_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_pushed_authorization_requests": false,
"pushed_authorization_request_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/par/request",
"mtls_endpoint_aliases": {
"token_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token",
"revocation_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/revoke",
"introspection_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token/introspect",
"device_authorization_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth/device",
"registration_endpoint": "http://localhost:3255/auth/realms/DevRealm/clients-registrations/openid-connect",
"userinfo_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/userinfo",
"pushed_authorization_request_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/par/request",
"backchannel_authentication_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/ciba/auth"
}
}

[speckofthecosmos]

For anyone using Authentik who can't wait for this — here's a working manual implementation for Auth.js v5 App Router. The standard end-session redirect approach has issues with Authentik specifically, so the solution uses the Authentik admin API for server-side session revocation instead: https://gist.github.com/speckofthecosmos/e8c471ee9a59f7d9494a854fff4074ad