[OIDC/Webclient] Logout throws missing "WebSession" argument (and doesn't appear to be programmed to use OIDCLogoutEndpoint anyway?)

[Hacksawfred3232]

Operating System

Ubuntu 22.04.5 LTS

AMP Version and Build Date

AMP version 2.6.1.0 (Phobos), built 20/03/2025 20:49, 20250320.8

AMP Release Stream

Mainline

I confirm that

• I have searched for an existing bug report for this issue.
• I am using the latest available version of AMP.
• my operating system is up-to-date.

Intended Action

When logging out with an OIDC session, have the user redirect to the specified OIDCLogoutEndpoint.

Expected Behaviour

AMP triggers API.Core.Logout, which invalidates the token it was using for the user and redirects the user to the OIDCLogoutEndpoint.

Actual Behaviour

API.Core.Logout errors out, but the client still attempts logout anyway, redirecting the user to the login page, which because the redirect to OIDCLogoutEndpoint didn't happen, automatically logs in again into AMP. The only workaround right now is to logout at the OIDC provider first.
Error in log:

[17:16:16] [Core:System Admin Error/58] : MissingFieldException
[17:16:16] [Core:System Admin Error/58] : [0] (MissingFieldException) : Logout method requires session(WebSession) argument.
[17:16:16] [Core:System Admin Error/58] :    at GSMyAdmin.WebServer.WebAttributes.InvokeMethod(String MethodName, JObject Data, HttpContext context, IWebSession Session, WebMethodsBase MethodsClass, IPAddress RealIP)
   at GSMyAdmin.WebServer.ApiService.InvokeAPI(HttpContext context, IWebSession Session, JObject Data, String RequestModule, String RequestMethod)

Additionally, observation of the javascript code for the WebUI appears to be that it wouldn't redirect anyway? The WebUI script just sets some local values to null and then refreshes the UI.

Reproduction

1. Install and configure AMP
2. Setup your OIDC provider, configure (correctly this time!) ([OIDC] Fatally writes bad user to database if OIDC response is missing data #1312)
3. Configure AMP to use your OIDC provider
4. Login as OIDC user successfully
5. Attempt logout

[bajascripts]

I am also getting this behavior as well. Same setup as OP, logout URL that is configured is completely ignored as well causing an automatic log back in after logging out.

[FloSet]

I can confirm this behavior as well. It is also discussed in the official forum, but unfortunately, the thread was closed with the explanation that it works as designed, which cannot be accurate, considering that an error is thrown, as also pointed out in the post.

[PhonicUK]

I've updated this and it now requests an OIDC logout. How this behaves depends slightly on your provider - with Authentik then unless you click the "Log out of Authentik" button that pops up for example then refreshing the page logs you back in instantly.