OIDC end_session_endpoint Property is Required

[Tomme]

trino/core/trino-main/src/main/java/io/trino/server/security/oauth2/OidcDiscovery.java

Line 118 in 50221eb

Optional<URI> endSessionEndpoint = Optional.of(getRequiredField("end_session_endpoint", metadata.getEndSessionEndpointURI(), END_SESSION_URL, Optional.empty()));

If you set http-server.authentication.oauth2.oidc.discovery=true and your Authorization Server does not return a end_session_endpoint value you will get the error: Invalid response from OpenID Metadata endpoint. Missing required "end_session_endpoint" property

While I am unsure if the OpenID Connect RP-Initiated Logout 1.0 specification is required for a minimum compliant implementation of OpenID Connect, quite a lot of OAuth providers e.g. Google, do not implement it / provide a end_session_endpoint value: https://accounts.google.com/.well-known/openid-configuration

[oneonestar]

DEX Idp also doesn't implement it: dexidp/dex#1697

In SSO(single sign on) system, after a user click the Log Out button on an application, there are different implementations:

• Invalidate session for this application only.
• Invalidate session for this application and logout from all systems using SSO.
• Others (see: https://security.stackexchange.com/questions/116039/sso-what-should-happen-when-the-user-clicks-log-out )

Which one to use should be determined by the organization. Admin will then enforce it for all applications.
IMO, Trino should allow admin to choose what it means when a user click the Log Out button.
I propose to make end_session_endpoint optional with docs updates to explain the behavior.

@Praveen2112 What do you think?

[mosabua]

Maybe @dain or @electrum can chime in here