From 20adaf9d557166d38645a3d3e6d366715e2252e7 Mon Sep 17 00:00:00 2001
From: Javier Romero Castro <jrcastro9515@gmail.com>
Date: Mon, 19 Jun 2023 19:41:18 +0200
Subject: [PATCH] Oauth: add post log out docs

* closes https://github.com/CERNDocumentServer/cds-rdm/issues/16
---
 docs/customize/authentication.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/docs/customize/authentication.md b/docs/customize/authentication.md
index 13f8b494..6368d998 100644
--- a/docs/customize/authentication.md
+++ b/docs/customize/authentication.md
@@ -353,6 +353,29 @@ Properties marked with `True` (or omitted) in the precedence mask will be taken
 from the authentication server user information payload if available, while properties marked
 with `False` will be taken from the user input in the registration form.
 
+### Defining post logout url
+
+By default, upon logging out, the application will disconnect you only from itself. However, if you logged in through an external provider, logging out from the application will not automatically log you out from that provider. To address this, you can define a `logout_url` when setting up the remote apps:
+
+```diff
+_keycloak_helper = KeycloakSettingsHelper(
+    title="CERN",
+    description="CERN SSO authentication",
+    ...
++   logout_url="your_app/logout",
+    ),
+)
+```
+
+After setting the `logout_url`, it is necessary to include the following configuration variable:
+
+```python
+SECURITY_POST_LOGOUT_VIEW = "/oauth/logout"
+"""Required by invenio-oauthclient to be able to set logout urls for the remote apps."""
+```
+
+This will redirect to the appropriate `logout_url` for each of the enabled remotes in the instance.
+
 ## Security
 
 For increased security, you should define the following in your `invenio.cfg`: