Logout using OIDC credentials instead of cookies

[RubenVerborgh]

Closes #69.

[coveralls]

Coverage decreased (-0.6%) to 61.593% when pulling 7fb5457 on feature/logout-oidc into eb36d24 on master.

[dmitrizagidulin]

(I think the idea is that you want to redirect the user (either the main page or a popup window) to the logour request’s url. that way, it also lets the browser clear the cookie to the IdP. otherwise, it’s still a third-party js request, which solid server should ignore. this also sets up the workflow for the next feature (a confirmation page saying, ok you’re logging out of the RP, do you also want to log out of IdP?).)

[RubenVerborgh]

I think the idea is that you want to redirect the user (either the main page or a popup window) to the logour request’s url.

But you recommended a POST request in nodeSolidServer/node-solid-server#835 (comment) ?

otherwise, it’s still a third-party js request, which solid server should ignore.

But it is signed?

[dmitrizagidulin]

Yeah, I did recommend a POST, I forgot about the redirection at that time :)

But is it signed?

Yeah, the request is signed (in the sense of, it’s carrying a signed id token credential). But I suspect without redirection, you’re gonna have a tough time clearing the cookie. (plus there’s no way to prompt the user if they want to also log out of idp and rp)