feat(handler): local logout returns 204 instead of redirect

Redirecting after local logout introduces the possibility of matching a
path that automatically performs login, which for a local logout means
the user is automatically logged in again due to having an SSO session -
which nullifies the whole logout operation.

Applications that want local logout must trigger and handle the response
just like any other API call.

pkg/handler/handler.go

@@ -247,7 +247,7 @@ func (s *Standalone) logout(w http.ResponseWriter, r *http.Request, globalLogout
 			return
 		}
 
-		logger.Info("logout: successful local logout")
+		logger.Debug("logout: session deleted")
 	}
 
 	cookie.Clear(w, cookie.Session, s.GetCookieOptions(r))
@@ -257,11 +257,9 @@ func (s *Standalone) logout(w http.ResponseWriter, r *http.Request, globalLogout
 		metrics.ObserveLogout(metrics.LogoutOperationSelfInitiated)
 		http.Redirect(w, r, logout.SingleLogoutURL(idToken), http.StatusTemporaryRedirect)
 	} else {
-		redirect := s.Client.LogoutCallback(r).PostLogoutRedirectURI()
-
-		logger.Debugf("logout: redirecting to %s", redirect)
+		logger.Info("logout: successful local logout")
 		metrics.ObserveLogout(metrics.LogoutOperationLocal)
-		http.Redirect(w, r, redirect, http.StatusTemporaryRedirect)
+		w.WriteHeader(http.StatusNoContent)
 	}
 }
 

pkg/handler/handler_test.go

@@ -537,8 +537,7 @@ func localLogout(t *testing.T, rpClient *http.Client, idp *mock.IdentityProvider
 	assert.NoError(t, err)
 
 	resp := get(t, rpClient, logoutURL.String())
-	assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
-	assert.Equal(t, idp.Cfg.OpenID.PostLogoutRedirectURI, resp.Location.String())
+	assert.Equal(t, http.StatusNoContent, resp.StatusCode)
 
 	cookies := rpClient.Jar.Cookies(logoutURL)
 	sessionCookie := getCookieFromJar(cookie.Session, cookies)