strapi-plugin-oidc 1.4.3 → 1.5.1

package/README.md

@@ -34,17 +34,29 @@ module.exports = ({ env }) => ({
       OIDC_REDIRECT_URI: env('OIDC_REDIRECT_URI'), // https://your-strapi.com/strapi-plugin-oidc/oidc/callback
       OIDC_AUTHORIZATION_ENDPOINT: env('OIDC_AUTHORIZATION_ENDPOINT'),
       OIDC_TOKEN_ENDPOINT: env('OIDC_TOKEN_ENDPOINT'),
-      OIDC_USER_INFO_ENDPOINT: env('OIDC_USER_INFO_ENDPOINT'),
+      OIDC_USERINFO_ENDPOINT: env('OIDC_USERINFO_ENDPOINT'),
 
-      // Optional — defaults shown
-      OIDC_SCOPES: 'openid profile email',
+      // Optional
+      OIDC_SCOPE: 'openid profile email',
       OIDC_GRANT_TYPE: 'authorization_code',
       OIDC_FAMILY_NAME_FIELD: 'family_name',
       OIDC_GIVEN_NAME_FIELD: 'given_name',
-      OIDC_LOGOUT_URL: '', // Provider logout URL; omit to redirect to Strapi login
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
-      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
-      REMEMBER_ME: false, // Persist session across browser restarts
+      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override
+      REMEMBER_ME: false,
+
+      // Optional — RP-Initiated Logout
+      // Redirects the browser to the provider's end-session page on logout.
+      // Both found in your provider's /.well-known/openid-configuration.
+      OIDC_END_SESSION_ENDPOINT: env('OIDC_END_SESSION_ENDPOINT', ''),
+      OIDC_POST_LOGOUT_REDIRECT_URI: env('OIDC_POST_LOGOUT_REDIRECT_URI', ''),
+
+      // Optional — Backchannel Logout
+      // Allows the provider to revoke Strapi sessions server-to-server.
+      // Set your provider's logout URI to: https://your-strapi.com/strapi-plugin-oidc/logout
+      // Both found in your provider's /.well-known/openid-configuration.
+      OIDC_ISSUER: env('OIDC_ISSUER', ''),
+      OIDC_JWKS_URI: env('OIDC_JWKS_URI', ''),
     },
   },
 });
@@ -134,7 +146,6 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
 
 - Removed alternative SSO methods to simplify the plugin.
 - Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
-- Added an OIDC logout redirect URL.
 - Added an option to "Enforce OIDC login" with an admin toggle (automatically disabled if the whitelist is empty).
 - Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
 - Cleaned up dead code and unused dependencies to improve maintainability.
@@ -146,4 +157,8 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
   - Bulk delete all entries with a confirmation dialog.
   - Unsaved changes confirmation when navigating away from the settings page.
   - Programmatic API for managing the whitelist via Strapi API tokens (list, register, import, delete, delete all).
+- **RP-Initiated Logout** (OpenID Connect RP-Initiated Logout 1.0): on logout, Strapi redirects the browser to the provider's end-session endpoint with `id_token_hint` and `post_logout_redirect_uri`, cleanly terminating the SSO session. Configured via `OIDC_END_SESSION_ENDPOINT` and `OIDC_POST_LOGOUT_REDIRECT_URI`.
+- **Backchannel Logout** (OIDC Back-Channel Logout 1.0): `POST /strapi-plugin-oidc/logout` accepts a signed logout token from the provider, validates it, and revokes the user's Strapi admin session — keeping Strapi in sync when a user logs out elsewhere. Configured via `OIDC_ISSUER` and `OIDC_JWKS_URI`.
+- Renamed config keys to match OIDC discovery document field names: `OIDC_LOGOUT_URL` → `OIDC_END_SESSION_ENDPOINT`, `OIDC_USER_INFO_ENDPOINT` → `OIDC_USERINFO_ENDPOINT`, `OIDC_SCOPES` → `OIDC_SCOPE`.
+- Security hardening: PKCE (`S256`), server-side `state` generation (CSRF protection), nonce validation (ID token replay prevention), `Authorization: Bearer` header for userinfo requests, generic error messages on callback failure.
 - Added misc. quality of life improvements and bug fixes.

package/dist/server/index.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
 const node_crypto = require("node:crypto");
+const jose = require("jose");
 const pkceChallenge = require("pkce-challenge");
 const strapiUtils = require("@strapi/utils");
 const generator = require("generate-password");
@@ -24,6 +25,17 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
+const revoked = /* @__PURE__ */ new Map();
+const CLEANUP_DELAY_MS = 24 * 60 * 60 * 1e3;
+function revokeUser(userId) {
+  revoked.set(userId, Date.now());
+  setTimeout(() => revoked.delete(userId), CLEANUP_DELAY_MS);
+}
+function isUserRevoked(userId, iat) {
+  const logoutTime = revoked.get(userId);
+  if (!logoutTime) return false;
+  return iat * 1e3 <= logoutTime;
+}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -76,9 +88,36 @@ async function bootstrap({ strapi: strapi2 }) {
     }
     await next();
   };
+  const denylistMiddleware = async (ctx, next) => {
+    const auth = ctx.request.headers.authorization;
+    if (auth?.startsWith("Bearer ")) {
+      try {
+        const payload = JSON.parse(
+          Buffer.from(auth.slice(7).split(".")[1], "base64url").toString()
+        );
+        if (payload.id && isUserRevoked(String(payload.id), payload.iat ?? 0)) {
+          ctx.status = 401;
+          ctx.body = {
+            data: null,
+            error: {
+              status: 401,
+              name: "UnauthorizedError",
+              message: "Session revoked",
+              details: {}
+            }
+          };
+          return;
+        }
+      } catch {
+      }
+    }
+    await next();
+  };
   if (strapi2.server.app && Array.isArray(strapi2.server.app.middleware)) {
     strapi2.server.app.middleware.unshift(enforceOidcMiddleware);
+    strapi2.server.app.middleware.unshift(denylistMiddleware);
   } else {
+    strapi2.server.use(denylistMiddleware);
     strapi2.server.use(enforceOidcMiddleware);
   }
   const actions = [
@@ -161,14 +200,20 @@ const config = {
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
-    OIDC_SCOPES: "openid profile email",
+    OIDC_SCOPE: "openid profile email",
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
-    OIDC_USER_INFO_ENDPOINT: "",
+    OIDC_USERINFO_ENDPOINT: "",
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_LOGOUT_URL: "",
+    OIDC_END_SESSION_ENDPOINT: "",
+    OIDC_POST_LOGOUT_REDIRECT_URI: "",
+    // Where to land after the provider has logged the user out (RP-Initiated Logout)
+    OIDC_ISSUER: "",
+    // Provider issuer URL — used to validate iss claim in backchannel logout tokens
+    OIDC_JWKS_URI: "",
+    // Provider JWKS endpoint — required for backchannel logout token signature verification
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -221,15 +266,17 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+  const rootPathOptions = { ...options2, path: "/" };
+  ctx.cookies.set("oidc_authenticated", "", rootPathOptions);
+  ctx.cookies.set("oidc_id_token", "", rootPathOptions);
 }
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
-  "OIDC_SCOPES",
+  "OIDC_SCOPE",
   "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USER_INFO_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
   "OIDC_GRANT_TYPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
@@ -245,7 +292,7 @@ function configValidation() {
   );
 }
 async function oidcSignIn(ctx) {
-  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
+  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
   const state = node_crypto.randomBytes(32).toString("base64url");
   const nonce = node_crypto.randomBytes(32).toString("base64url");
@@ -264,7 +311,7 @@ async function oidcSignIn(ctx) {
   params.append("response_type", "code");
   params.append("client_id", OIDC_CLIENT_ID);
   params.append("redirect_uri", OIDC_REDIRECT_URI);
-  params.append("scope", OIDC_SCOPES);
+  params.append("scope", OIDC_SCOPE);
   params.append("code_challenge", codeChallenge);
   params.append("code_challenge_method", "S256");
   params.append("state", state);
@@ -297,13 +344,14 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
       throw new Error("Failed to parse ID token");
     }
   }
-  const userResponse = await fetch(config2.OIDC_USER_INFO_ENDPOINT, {
+  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
     headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
     throw new Error("Failed to fetch user info");
   }
-  return userResponse.json();
+  const userInfo = await userResponse.json();
+  return { userInfo, idToken: tokenData.id_token };
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -369,7 +417,11 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier ?? "");
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
+    const { userInfo: userResponseData, idToken } = await exchangeTokenAndFetchUserInfo(
+      config2,
+      params,
+      oidcNonce ?? ""
+    );
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -379,6 +431,15 @@ async function oidcSignInCallback(ctx) {
       config2,
       ctx
     );
+    if (idToken) {
+      const isProduction = strapi.config.get("environment") === "production";
+      ctx.cookies.set("oidc_id_token", idToken, {
+        httpOnly: true,
+        secure: isProduction && ctx.request.secure,
+        path: "/",
+        sameSite: "lax"
+      });
+    }
     const nonce = node_crypto.randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
@@ -390,20 +451,92 @@ async function oidcSignInCallback(ctx) {
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const logoutUrl = config2.OIDC_LOGOUT_URL;
+  const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
+  const idToken = ctx.cookies.get("oidc_id_token");
   clearAuthCookies(strapi, ctx);
   if (logoutUrl && isOidcSession) {
-    ctx.redirect(logoutUrl);
+    const url = new URL(logoutUrl);
+    if (idToken) url.searchParams.set("id_token_hint", idToken);
+    if (config2.OIDC_POST_LOGOUT_REDIRECT_URI) {
+      url.searchParams.set("post_logout_redirect_uri", config2.OIDC_POST_LOGOUT_REDIRECT_URI);
+    }
+    ctx.redirect(url.toString());
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
     ctx.redirect(`${adminPanelUrl}/auth/login`);
   }
 }
+const jwksCache = /* @__PURE__ */ new Map();
+function getJWKS(uri) {
+  const cached = jwksCache.get(uri);
+  if (cached) return cached;
+  const jwks = jose.createRemoteJWKSet(new URL(uri));
+  jwksCache.set(uri, jwks);
+  return jwks;
+}
+async function backchannelLogout(ctx) {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const logoutToken = ctx.request.body?.logout_token;
+  if (!logoutToken) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing logout_token" };
+    return;
+  }
+  if (!config2.OIDC_JWKS_URI || !config2.OIDC_ISSUER) {
+    ctx.status = 501;
+    ctx.body = {
+      error: "OIDC_JWKS_URI and OIDC_ISSUER must both be configured to enable backchannel logout"
+    };
+    return;
+  }
+  try {
+    const JWKS = getJWKS(config2.OIDC_JWKS_URI);
+    const verifyOptions = {
+      issuer: config2.OIDC_ISSUER,
+      audience: config2.OIDC_CLIENT_ID || void 0
+    };
+    const { payload } = await jose.jwtVerify(logoutToken, JWKS, verifyOptions);
+    if ("nonce" in payload) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must not contain nonce" };
+      return;
+    }
+    const events = payload.events;
+    if (!events?.["http://schemas.openid.net/event/backchannel-logout"]) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token missing backchannel-logout event" };
+      return;
+    }
+    if (!payload.sub && !("sid" in payload)) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must contain sub or sid" };
+      return;
+    }
+    if (payload.sub) {
+      const userService = strapi.service("admin::user");
+      const user = await userService.findOneByEmail(payload.sub);
+      if (user) {
+        revokeUser(String(user.id));
+        const sessionManager = strapi.sessionManager;
+        if (sessionManager) {
+          await sessionManager("admin").invalidateRefreshToken(String(user.id));
+        }
+      }
+    }
+    ctx.status = 200;
+    ctx.body = "";
+  } catch (e) {
+    strapi.log.error("Backchannel logout failed:", e);
+    ctx.status = 400;
+    ctx.body = { error: "Invalid logout_token" };
+  }
+}
 const oidc = {
   oidcSignIn,
   oidcSignInCallback,
-  logout
+  logout,
+  backchannelLogout
 };
 async function find(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
@@ -660,6 +793,12 @@ const routes = {
         handler: "oidc.logout",
         config: { auth: false }
       },
+      {
+        method: "POST",
+        path: "/logout",
+        handler: "oidc.backchannelLogout",
+        config: { auth: false }
+      },
       {
         method: "GET",
         path: "/whitelist",

package/dist/server/index.mjs

@@ -1,4 +1,5 @@
 import { randomUUID, randomBytes } from "node:crypto";
+import { jwtVerify, createRemoteJWKSet } from "jose";
 import pkceChallenge from "pkce-challenge";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
@@ -18,6 +19,17 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
+const revoked = /* @__PURE__ */ new Map();
+const CLEANUP_DELAY_MS = 24 * 60 * 60 * 1e3;
+function revokeUser(userId) {
+  revoked.set(userId, Date.now());
+  setTimeout(() => revoked.delete(userId), CLEANUP_DELAY_MS);
+}
+function isUserRevoked(userId, iat) {
+  const logoutTime = revoked.get(userId);
+  if (!logoutTime) return false;
+  return iat * 1e3 <= logoutTime;
+}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -70,9 +82,36 @@ async function bootstrap({ strapi: strapi2 }) {
     }
     await next();
   };
+  const denylistMiddleware = async (ctx, next) => {
+    const auth = ctx.request.headers.authorization;
+    if (auth?.startsWith("Bearer ")) {
+      try {
+        const payload = JSON.parse(
+          Buffer.from(auth.slice(7).split(".")[1], "base64url").toString()
+        );
+        if (payload.id && isUserRevoked(String(payload.id), payload.iat ?? 0)) {
+          ctx.status = 401;
+          ctx.body = {
+            data: null,
+            error: {
+              status: 401,
+              name: "UnauthorizedError",
+              message: "Session revoked",
+              details: {}
+            }
+          };
+          return;
+        }
+      } catch {
+      }
+    }
+    await next();
+  };
   if (strapi2.server.app && Array.isArray(strapi2.server.app.middleware)) {
     strapi2.server.app.middleware.unshift(enforceOidcMiddleware);
+    strapi2.server.app.middleware.unshift(denylistMiddleware);
   } else {
+    strapi2.server.use(denylistMiddleware);
     strapi2.server.use(enforceOidcMiddleware);
   }
   const actions = [
@@ -155,14 +194,20 @@ const config = {
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
-    OIDC_SCOPES: "openid profile email",
+    OIDC_SCOPE: "openid profile email",
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
-    OIDC_USER_INFO_ENDPOINT: "",
+    OIDC_USERINFO_ENDPOINT: "",
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_LOGOUT_URL: "",
+    OIDC_END_SESSION_ENDPOINT: "",
+    OIDC_POST_LOGOUT_REDIRECT_URI: "",
+    // Where to land after the provider has logged the user out (RP-Initiated Logout)
+    OIDC_ISSUER: "",
+    // Provider issuer URL — used to validate iss claim in backchannel logout tokens
+    OIDC_JWKS_URI: "",
+    // Provider JWKS endpoint — required for backchannel logout token signature verification
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -215,15 +260,17 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+  const rootPathOptions = { ...options2, path: "/" };
+  ctx.cookies.set("oidc_authenticated", "", rootPathOptions);
+  ctx.cookies.set("oidc_id_token", "", rootPathOptions);
 }
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
-  "OIDC_SCOPES",
+  "OIDC_SCOPE",
   "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USER_INFO_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
   "OIDC_GRANT_TYPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
@@ -239,7 +286,7 @@ function configValidation() {
   );
 }
 async function oidcSignIn(ctx) {
-  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
+  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
   const state = randomBytes(32).toString("base64url");
   const nonce = randomBytes(32).toString("base64url");
@@ -258,7 +305,7 @@ async function oidcSignIn(ctx) {
   params.append("response_type", "code");
   params.append("client_id", OIDC_CLIENT_ID);
   params.append("redirect_uri", OIDC_REDIRECT_URI);
-  params.append("scope", OIDC_SCOPES);
+  params.append("scope", OIDC_SCOPE);
   params.append("code_challenge", codeChallenge);
   params.append("code_challenge_method", "S256");
   params.append("state", state);
@@ -291,13 +338,14 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
       throw new Error("Failed to parse ID token");
     }
   }
-  const userResponse = await fetch(config2.OIDC_USER_INFO_ENDPOINT, {
+  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
     headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
     throw new Error("Failed to fetch user info");
   }
-  return userResponse.json();
+  const userInfo = await userResponse.json();
+  return { userInfo, idToken: tokenData.id_token };
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -363,7 +411,11 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier ?? "");
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
+    const { userInfo: userResponseData, idToken } = await exchangeTokenAndFetchUserInfo(
+      config2,
+      params,
+      oidcNonce ?? ""
+    );
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -373,6 +425,15 @@ async function oidcSignInCallback(ctx) {
       config2,
       ctx
     );
+    if (idToken) {
+      const isProduction = strapi.config.get("environment") === "production";
+      ctx.cookies.set("oidc_id_token", idToken, {
+        httpOnly: true,
+        secure: isProduction && ctx.request.secure,
+        path: "/",
+        sameSite: "lax"
+      });
+    }
     const nonce = randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
@@ -384,20 +445,92 @@ async function oidcSignInCallback(ctx) {
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const logoutUrl = config2.OIDC_LOGOUT_URL;
+  const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
+  const idToken = ctx.cookies.get("oidc_id_token");
   clearAuthCookies(strapi, ctx);
   if (logoutUrl && isOidcSession) {
-    ctx.redirect(logoutUrl);
+    const url = new URL(logoutUrl);
+    if (idToken) url.searchParams.set("id_token_hint", idToken);
+    if (config2.OIDC_POST_LOGOUT_REDIRECT_URI) {
+      url.searchParams.set("post_logout_redirect_uri", config2.OIDC_POST_LOGOUT_REDIRECT_URI);
+    }
+    ctx.redirect(url.toString());
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
     ctx.redirect(`${adminPanelUrl}/auth/login`);
   }
 }
+const jwksCache = /* @__PURE__ */ new Map();
+function getJWKS(uri) {
+  const cached = jwksCache.get(uri);
+  if (cached) return cached;
+  const jwks = createRemoteJWKSet(new URL(uri));
+  jwksCache.set(uri, jwks);
+  return jwks;
+}
+async function backchannelLogout(ctx) {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const logoutToken = ctx.request.body?.logout_token;
+  if (!logoutToken) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing logout_token" };
+    return;
+  }
+  if (!config2.OIDC_JWKS_URI || !config2.OIDC_ISSUER) {
+    ctx.status = 501;
+    ctx.body = {
+      error: "OIDC_JWKS_URI and OIDC_ISSUER must both be configured to enable backchannel logout"
+    };
+    return;
+  }
+  try {
+    const JWKS = getJWKS(config2.OIDC_JWKS_URI);
+    const verifyOptions = {
+      issuer: config2.OIDC_ISSUER,
+      audience: config2.OIDC_CLIENT_ID || void 0
+    };
+    const { payload } = await jwtVerify(logoutToken, JWKS, verifyOptions);
+    if ("nonce" in payload) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must not contain nonce" };
+      return;
+    }
+    const events = payload.events;
+    if (!events?.["http://schemas.openid.net/event/backchannel-logout"]) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token missing backchannel-logout event" };
+      return;
+    }
+    if (!payload.sub && !("sid" in payload)) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must contain sub or sid" };
+      return;
+    }
+    if (payload.sub) {
+      const userService = strapi.service("admin::user");
+      const user = await userService.findOneByEmail(payload.sub);
+      if (user) {
+        revokeUser(String(user.id));
+        const sessionManager = strapi.sessionManager;
+        if (sessionManager) {
+          await sessionManager("admin").invalidateRefreshToken(String(user.id));
+        }
+      }
+    }
+    ctx.status = 200;
+    ctx.body = "";
+  } catch (e) {
+    strapi.log.error("Backchannel logout failed:", e);
+    ctx.status = 400;
+    ctx.body = { error: "Invalid logout_token" };
+  }
+}
 const oidc = {
   oidcSignIn,
   oidcSignInCallback,
-  logout
+  logout,
+  backchannelLogout
 };
 async function find(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
@@ -654,6 +787,12 @@ const routes = {
         handler: "oidc.logout",
         config: { auth: false }
       },
+      {
+        method: "POST",
+        path: "/logout",
+        handler: "oidc.backchannelLogout",
+        config: { auth: false }
+      },
       {
         method: "GET",
         path: "/whitelist",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.4.3",
+  "version": "1.5.1",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
@@ -50,6 +50,7 @@
     "@strapi/icons": "^2.2.0",
     "@strapi/utils": "^5.41.1",
     "generate-password": "^1.7.1",
+    "jose": "^6.2.2",
     "pkce-challenge": "^6.0.0",
     "react-intl": "^6.8.9"
   },
@@ -81,6 +82,8 @@
     "@eslint/eslintrc": "^3.3.5",
     "@eslint/js": "^10.0.1",
     "@strapi/sdk-plugin": "^6.0.1",
+    "@strapi/types": "^5.41.1",
+    "@types/koa": "^2.16.4",
     "@types/node": "^25.5.2",
     "@types/supertest": "^7.2.0",
     "@vitest/coverage-v8": "^4.1.2",