Logout doesn't work. It works only if we sign out of our gmail account (from the gmail website)

[liv-ci]

Jenkins and plugins versions report

Environment

Jenkins: 2.479.1
OS: Linux - 6.1.100+
Java: 17.0.13 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
analysis-model-api:12.9.0
ansible:403.v8d0ca_dcb_b_502
ansicolor:1.0.5
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.4-124.v31e2987e48f4
asm-api:9.7.1-97.v4cc844130d97
authentication-tokens:1.119.v50285141b_7e1
authorize-project:1.8.1
aws-credentials:231.v08a_59f17d742
aws-java-sdk-api-gateway:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-cloudformation:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-cloudfront:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-codedeploy:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-ec2:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-ecr:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-elasticbeanstalk:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-elasticloadbalancingv2:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-iam:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-lambda:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-minimal:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-organizations:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-sns:1.12.772-474.v7f79a_2046a_fb_
aws-java-sdk-sqs:1.12.772-474.v7f79a_2046a_fb_
basic-branch-build-strategies:190.v343a_ee70d920
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1197.vfa_d0c47c267d
build-discarder:139.v05696a_7fe240
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-disk-usage-simple:205.v47f4ee8803d1
cloudbees-folder:6.955.v81e2a_35c08d3
command-launcher:115.vd8b_301cc15d0
commons-compress-api:1.26.1-2
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
configuration-as-code:1887.v9e47623cb_043
configuration-as-code-groovy:1.1
copyartifact:757.v05365583a_455
credentials:1389.vd7a_b_f5fa_50a_2
credentials-binding:687.v619cb_15e923f
customizable-header:141.vdd3dcb_cfcf66
dark-theme:479.v661b_1b_911c01
data-tables-api:2.1.8-1
discord-notifier:260.v8f28622b_a_6b_7
display-url-api:2.209.v582ed814ff2f
docker-commons:443.v921729d5611d
docker-workflow:580.vc0c340686b_54
durable-task:577.v2a_8a_4b_7c0247
echarts-api:5.5.1-4
eddsa-api:0.3.0-4.v84c6f0f4969e
flatpickr-api:4.6.13-5.v534d8025a_a_59
font-awesome-api:6.6.0-2
forensics-api:2.6.0
generic-webhook-trigger:2.2.5
git:5.6.0
git-client:6.1.0
gitlab-plugin:1.9.5
google-login:109.v022b_cf87b_e5b_
gravatar:113.v8846c95107e6
gson-api:2.11.0-85.v1f4e87273c33
http_request:1.19
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jersey2-api:2.44-151.v6df377fff741
joda-time-api:2.13.0-93.v9934da_29b_a_e9
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-101.v7a_8666713110
json-path-api:2.9.0-118.v7f23ed82a_8b_8
junit:1307.vdd5b_2646279e
kubernetes:4295.v7fa_01b_309c95
kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2
kubernetes-credentials:174.va_36e093562d9
kubernetes-credentials-provider:1.262.v2670ef7ea_0c5
locale:544.v5ee877a_46b_90
lockable-resources:1327.ved786b_a_197e0
mailer:489.vd4b_25144138f
material-theme:0.5.2-rc100.6121925fe229
matrix-project:840.v812f627cb_578
metrics:4.2.21-458.vcf496cb_839e4
mina-sshd-api-common:2.14.0-133.vcc091215a_358
mina-sshd-api-core:2.14.0-133.vcc091215a_358
modernstatus:1.3
nunit:547.v9dcdd7a_90848
oic-auth:4.421.v5422614eb_e0a_
okhttp-api:4.11.0-181.v1de5b_83857df
p4:1.16.0
pipeline-agent-build-history:90.vf089ff0feff9
pipeline-aws:1.45
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:744.v5b_556ee7c253
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83
pipeline-utility-steps:2.18.0
plain-credentials:183.va_de8f1dd5a_2b_
plasticscm-plugin:4.4
plugin-util-api:5.1.0
prism-api:1.29.0-17
prometheus:795.v995762102f28
resource-disposer:0.25
role-strategy:743.v142ea_b_d5f1d3
scm-api:698.v8e3b_c788f0a_6
script-security:1367.vdf2fc45f229c
skip-certificate-check:1.1
snakeyaml-api:2.3-123.v13484c65210a_
solarized-theme:0.1
ssh-agent:376.v8933585c69d3
ssh-credentials:343.v884f71d78167
ssh-slaves:2.973.v0fa_8c0dea_f9f
ssh-steps:2.0.68.va_d21a_12a_6476
sshd:3.330.vc866a_8389b_58
startup-trigger-plugin:2.9.4
structs:338.v848422169819
theme-manager:262.vc57ee4a_eda_5d
trilead-api:2.147.vb_73cc728a_32e
uno-choice:2.8.5
variant:60.v7290fc0eb_b_cd
warnings-ng:11.10.0
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3990.vd281dd77a_388
workflow-durable-task-step:1371.vb_7cec8f3b_95e
workflow-job:1460.v28178c1ef6e6
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:930.vf51d22b_ce488
ws-cleanup:0.48

What Operating System are you using (both controller, and any agents involved in the problem)?

Controller OS : Debian GNU/Linux 12 (bookworm)
Agent OS: Windows Server 2022

Reproduction steps

1. Log in with Jenkins
2. Click on Logout. You will see the message : "You are now logged out of Jenkins. Have a nice day!"
3. Click on the Jenkins Home button (upper left corner link), or simply go back to your root domaine url for the jenkins instance.

Expected Results

I should be asked to reconnect using my google account.

Actual Results

I am still logged in

Anything else?

This is the configuration that I have for the ioc plugin :

    securityRealm: |
      oic:
        allowedTokenExpirationClockSkewSeconds: 0
        clientId: "{{ jenkins_oic_client_id }}"
        clientSecret: "{{ jenkins_oic_client_secret }}"
        disableSslVerification: false
        escapeHatchEnabled: true
        escapeHatchSecret: "{{ escape_hatch_secret }}"
        escapeHatchUsername: "admin"
        serverConfiguration:
          wellKnown:
            wellKnownOpenIDConfigurationUrl: "https://accounts.google.com/.well-known/openid-configuration"
        userNameField: "email"
    authorizationStrategy: |-            
      roleBased:
        roles:
          global:
            - name: "admin"
              permissions:
                - "Overall/Administer"
              entries:
...

I noticed that the only way to log out is to sign out of my gmail account from gmail website, or by going here : https://mail.google.com/mail/?logout&hl=fr
The going back to jenkins, you will need to login again.
However signing out of gmail and signing out of jenkins should be two different things, and should not interfere between the apps behaviour.

Are you interested in contributing a fix?

No response

[krezovic]

Did you enable "Log out from OpenID Provider" checkbox in plugin configuration? (disabled by default)

https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly#L29

[liv-ci]

Did you enable "Log out from OpenID Provider" checkbox in plugin configuration? (disabled by default)

https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly#L29

Hello ! Yes the checkbox is checked on my end.

[krezovic]

It appears that Google does not provide end_session_endpoint in their OpenID Metadata (or at all). The only way to log out would be to use revocation_endpoint to revoke the ID token