From 95b35f62034ace82f88c135ee1b0957b2b74e143 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 23:06:56 +0200
Subject: [PATCH] fix: make OIDC logout resilient to end-session endpoint
 failures

Fire end-session via fetch(no-cors) instead of window.location redirect.
Always navigate to /login?local regardless of whether end-session
succeeds, preventing broken JSON responses from blocking logout.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ui/src/auth/auth-store.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ui/src/auth/auth-store.ts b/ui/src/auth/auth-store.ts
index 7cf318e7..a01adec7 100644
--- a/ui/src/auth/auth-store.ts
+++ b/ui/src/auth/auth-store.ts
@@ -154,15 +154,17 @@ export const useAuthStore = create<AuthState>((set, get) => ({
       isAuthenticated: false,
       error: null,
     });
+    const loginUrl = `${config.basePath}login?local`;
     if (endSessionEndpoint && idToken) {
-      const postLogoutRedirect = `${window.location.origin}${config.basePath}login?local`;
       const params = new URLSearchParams({
         id_token_hint: idToken,
-        post_logout_redirect_uri: postLogoutRedirect,
+        post_logout_redirect_uri: `${window.location.origin}${config.basePath}login?local`,
+      });
+      fetch(`${endSessionEndpoint}?${params}`, { mode: 'no-cors' }).finally(() => {
+        window.location.href = loginUrl;
       });
-      window.location.href = `${endSessionEndpoint}?${params}`;
     } else {
-      window.location.href = `${config.basePath}login?local`;
+      window.location.href = loginUrl;
     }
   },
 }));