Implement federated logout for omniauth_open_id_connect

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

Implement federated logout for OIDC, similar to the ongoing Single Log Out with SAML. This can be achieved by supporting the end_session_endpoint as outlined in the omniauth_openid_connect documentation.

Ultimately, when a user signs out of GitLab, it also signs them out of their identity provider (IDP).

Why?

This would allow users to enable the auto_sign_in_with_provider: true omniauth configuration, without encountering an infinite sign-in loop when trying to sign out of Gitlab.

Concerns

Although this feature is currently unsupported in GitLab, the OIDC documentation implies support by referencing end_session_endpoint. If this feature will not be scheduled soon, updating or removing references to end_session_endpoint in the documentation may be necessary to avoid confusion.

Related to #31203 (comment 2170035222)