feat(server): added backchannel logout api endpoint (#26235)

* feat(server): added backchannel logout api endpoint

* test(server): fixed e2e tests

* fix(server): fixed suggested changes by reviewer

* feat(server): created function invalidateOAuth

* fix(server): fixed session.repository.sql

* test(server): added unit tests for backchannelLogout function

* test(server): added e2e tests for oidc backchnnel logout

* docs(server): added documentation on backchannel logout url

* docs(server): fixed typo

* feat(server): minor improvements of the oidc backchannel logout

* test(server): fixed tests after merge with main

* fix(server): fixed e2e test file

* refactor(server): tiny refactor of validateLogoutToken

* chore: cleanup

* fix: tests

* fix: make jwks extractable

---------

Co-authored-by: Daniel Dietzler <mail@ddietzler.dev>

open-api/immich-openapi-specs.json

@@ -7359,6 +7359,38 @@
         "x-immich-state": "Stable"
       }
     },
+    "/oauth/backchannel-logout": {
+      "post": {
+        "description": "Logout the OAuth account and invalidate the session specified by the sid claim or all sessions if the sid claim is not present.",
+        "operationId": "logoutOAuth",
+        "parameters": [],
+        "requestBody": {
+          "content": {
+            "application/x-www-form-urlencoded": {
+              "schema": {
+                "$ref": "#/components/schemas/OAuthBackchannelLogoutDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "summary": "Backchannel OAuth logout",
+        "tags": [
+          "Authentication"
+        ],
+        "x-immich-history": [
+          {
+            "version": "v2",
+            "state": "Added"
+          }
+        ]
+      }
+    },
     "/oauth/callback": {
       "post": {
         "description": "Complete the OAuth authorization process by exchanging the authorization code for a session token.",
@@ -19031,6 +19063,18 @@
         ],
         "type": "object"
       },
+      "OAuthBackchannelLogoutDto": {
+        "properties": {
+          "logout_token": {
+            "description": "OAuth logout token",
+            "type": "string"
+          }
+        },
+        "required": [
+          "logout_token"
+        ],
+        "type": "object"
+      },
       "OAuthCallbackDto": {
         "properties": {
           "codeVerifier": {

open-api/typescript-sdk/src/fetch-client.ts

@@ -1409,6 +1409,10 @@ export type OAuthAuthorizeResponseDto = {
     /** OAuth authorization URL */
     url: string;
 };
+export type OAuthBackchannelLogoutDto = {
+    /** OAuth logout token */
+    logout_token: string;
+};
 export type OAuthCallbackDto = {
     /** OAuth code verifier (PKCE) */
     codeVerifier?: string;
@@ -4909,6 +4913,18 @@ export function startOAuth({ oAuthConfigDto }: {
         body: oAuthConfigDto
     })));
 }
+/**
+ * Backchannel OAuth logout
+ */
+export function logoutOAuth({ oAuthBackchannelLogoutDto }: {
+    oAuthBackchannelLogoutDto: OAuthBackchannelLogoutDto;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchText("/oauth/backchannel-logout", oazapfts.form({
+        ...opts,
+        method: "POST",
+        body: oAuthBackchannelLogoutDto
+    })));
+}
 /**
  * Finish OAuth
  */