fix PocketID logout url

README.md

@@ -721,6 +721,7 @@ OIDC_ISSUER_URL=https://pocket-id.example.com
 OIDC_CLIENT_ID=fail2ban-ui-client
 OIDC_CLIENT_SECRET=your-secret
 OIDC_REDIRECT_URL=https://fail2ban-ui.example.com/auth/callback
+# OIDC_LOGOUT_URL is optional - automatically constructed if not set
 ```
 
 **Security Notes:**

docker-compose-allinone.example.yml

@@ -94,11 +94,14 @@ services:
       # The claim to use as the username (e.g., email, preferred_username, sub)
       # - OIDC_USERNAME_CLAIM=preferred_username
       # Optional: Provider logout URL
-      # If not set, the logout URL will be auto-constructed using the standard OIDC logout endpoint: {issuer}/protocol/openid-connect/logout
+      # If not set, the logout URL will be auto-constructed based on the provider:
+      #   Keycloak: {issuer}/protocol/openid-connect/logout
+      #   Authentik: {issuer}/protocol/openid-connect/logout
+      #   Pocket-ID: {issuer}/api/oidc/end-session
       # Examples:
       #   Keycloak: https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout
       #   Authentik: https://authentik.example.com/application/o/your-client-slug/protocol/openid-connect/logout
-      #   Pocket-ID: https://pocket-id.example.com/protocol/openid-connect/logout
+      #   Pocket-ID: https://pocket-id.example.com/api/oidc/end-session
       # - OIDC_LOGOUT_URL=https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout
       # Optional: Skip login page and redirect directly to OIDC provider (default: false)
       # When set to true, users are immediately redirected to the OIDC provider without showing the login page

docker-compose.example.yml

@@ -75,11 +75,14 @@ services:
       # The claim to use as the username (e.g., email, preferred_username, sub)
       # - OIDC_USERNAME_CLAIM=preferred_username
       # Optional: Provider logout URL
-      # If not set, the logout URL will be auto-constructed using the standard OIDC logout endpoint: {issuer}/protocol/openid-connect/logout
+      # If not set, the logout URL will be auto-constructed based on the provider:
+      #   Keycloak: {issuer}/protocol/openid-connect/logout
+      #   Authentik: {issuer}/protocol/openid-connect/logout
+      #   Pocket-ID: {issuer}/api/oidc/end-session
       # Examples:
       #   Keycloak: https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout
       #   Authentik: https://authentik.example.com/application/o/your-client-slug/protocol/openid-connect/logout
-      #   Pocket-ID: https://pocket-id.example.com/protocol/openid-connect/logout
+      #   Pocket-ID: https://pocket-id.example.com/api/oidc/end-session
       # - OIDC_LOGOUT_URL=https://keycloak.example.com/realms/your-realm/protocol/openid-connect/logout
       # Optional: Skip login page and redirect directly to OIDC provider (default: false)
       # When set to true, users are immediately redirected to the OIDC provider without showing the login page

pkg/web/handlers.go

@@ -3221,8 +3221,12 @@ func LogoutHandler(c *gin.Context) {
 				// Keycloak requires client_id when using post_logout_redirect_uri
 				// Format: {issuer}/protocol/openid-connect/logout?post_logout_redirect_uri={redirect}&client_id={client_id}
 				logoutURL = fmt.Sprintf("%s/protocol/openid-connect/logout?post_logout_redirect_uri=%s&client_id=%s", issuerURL, redirectURIEncoded, clientIDEncoded)
-			case "authentik", "pocketid":
-				// Standard OIDC format for Authentik and Pocket-ID
+			case "pocketid":
+				// Pocket-ID uses a different logout endpoint
+				// Format: {issuer}/api/oidc/end-session?redirect_uri={redirect}
+				logoutURL = fmt.Sprintf("%s/api/oidc/end-session?redirect_uri=%s", issuerURL, redirectURIEncoded)
+			case "authentik":
+				// Standard OIDC format for Authentik
 				// Format: {issuer}/protocol/openid-connect/logout?redirect_uri={redirect}
 				logoutURL = fmt.Sprintf("%s/protocol/openid-connect/logout?redirect_uri=%s", issuerURL, redirectURIEncoded)
 			default: