Logout fixes: correct client_id + drop pointless ?federated (#42)

* Logout: use deployed AUTH0_CLIENT_ID/DOMAIN, not VITE_ vars

The deployment configmap/secret expose AUTH0_CLIENT_ID and AUTH0_DOMAIN, not
VITE_AUTH0_* (those are local-dev only). Reading the VITE_ vars would yield
undefined at runtime, breaking the logout URL. Use the non-VITE vars (the same
app the server authenticates with, so logout's client_id matches the session),
with VITE_ as a local-dev fallback.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Drop ?federated from logout: CILogon has no end_session_endpoint

CILogon's OIDC discovery exposes no end_session_endpoint, so Auth0 federated
logout cannot end its session — ?federated only produced federated_logout_failed
log noise. Plain Auth0 logout still clears the app + Auth0 session; the
CILogon/institution SSO session cannot be cleared programmatically.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: robmsmt

frontend/src/pages/index.astro

@@ -29,12 +29,24 @@ const articles = (await getCollection("articles"))
 // instead of a Sign In button that would kick off the real Auth0 flow.
 const authBypass =
   (process.env.VITE_DEV_AUTH_BYPASS || import.meta.env.VITE_DEV_AUTH_BYPASS) === 'true';
-// Auth0 tenant for the logout redirect (clears the Auth0 + upstream CILogon
-// session, not just the local app cookie). process.env wins for SSR runtime.
+// Auth0 config for the logout redirect (clears the local app cookie + the
+// Auth0 session; CILogon's IdP session can't be cleared, see the logout
+// handler below). Use the SAME app the server logs in with — AUTH0_CLIENT_ID /
+// AUTH0_DOMAIN from the deployment configmap/secret — so logout's client_id
+// matches the session. These are not VITE_-prefixed, so at runtime they only
+// exist on process.env (SSR); VITE_ vars are a local-dev fallback.
 const auth0Domain =
-  process.env.VITE_AUTH0_DOMAIN || import.meta.env.VITE_AUTH0_DOMAIN || '';
+  process.env.AUTH0_DOMAIN ||
+  import.meta.env.AUTH0_DOMAIN ||
+  process.env.VITE_AUTH0_DOMAIN ||
+  import.meta.env.VITE_AUTH0_DOMAIN ||
+  '';
 const auth0ClientId =
-  process.env.VITE_AUTH0_CLIENT_ID || import.meta.env.VITE_AUTH0_CLIENT_ID || '';
+  process.env.AUTH0_CLIENT_ID ||
+  import.meta.env.AUTH0_CLIENT_ID ||
+  process.env.VITE_AUTH0_CLIENT_ID ||
+  import.meta.env.VITE_AUTH0_CLIENT_ID ||
+  '';
 const session = authBypass
   ? { user: { name: 'Dev User', email: 'dev@localhost' }, accessToken: 'dev-dummy-token' }
   : await getSession(Astro.request);
@@ -179,15 +191,18 @@ const sponsors = [
               } catch (e) {
                 console.error('Local sign-out failed:', e);
               }
-              // 2) Clear the Auth0 session and federate logout to the upstream
-              //    IdP (CILogon), so the next sign-in shows the login screen
-              //    instead of silently re-authenticating.
+              // 2) Clear the Auth0 session so the next sign-in shows the login
+              //    screen instead of silently re-authenticating. We don't pass
+              //    ?federated: CILogon exposes no OIDC end_session_endpoint, so
+              //    Auth0 can't end its session (it would just log
+              //    federated_logout_failed). The CILogon/institution SSO
+              //    session can't be cleared programmatically.
               const params = new URLSearchParams({
                 client_id: auth0ClientId,
                 returnTo: window.location.origin,
               });
               window.location.href =
-                `https://${auth0Domain}/v2/logout?federated&${params.toString()}`;
+                `https://${auth0Domain}/v2/logout?${params.toString()}`;
             });
           </script>