The oidc_frontchannel_logout feature supports, as defined in the RFC, logging out on all RPs as a consequence of logging out on the OP, by allowing RPs to register a “frontchannel logout URL” in the OP, and having the OP call it via iframe on the user agent (the “frontchannel”) after a successful logout.
It also supports session identification via ID token SID claim (which can also be disabled).
The way to enable it is as follows:
plugin :rodauth do
enable :oidc_frontchannel_logout
end
When enabled, the openid discovery endpoint will expose support for frontchannel logout; if using the oidc_dynamic_client_registration, the parameters definedd in the RFC will also be supported.