From 9e53b8814b69f1768e1229708b45dc63409c6b24 Mon Sep 17 00:00:00 2001
From: Christian Cueni <christian.cueni@iterativ.ch>
Date: Mon, 21 Oct 2024 10:40:23 +0200
Subject: [PATCH] Add logout with id_token_hint

---
 client/src/stores/user.ts                     |  19 +-------
 env_secrets/caprover_myvbv-prod.env           | Bin 1104 -> 936 bytes
 env_secrets/local_chrigu.env                  | Bin 3076 -> 3228 bytes
 server/config/settings/base.py                |   2 +
 server/config/urls.py                         |   4 +-
 server/vbv_lernwelt/core/views.py             |   8 +---
 server/vbv_lernwelt/course_session/views.py   |   4 +-
 .../dashboard/graphql/types/dashboard.py      |   4 +-
 server/vbv_lernwelt/dashboard/views.py        |   5 +--
 .../iam/tests/test_permissions.py             |   4 +-
 server/vbv_lernwelt/importer/services.py      |   4 ++
 server/vbv_lernwelt/sso/urls.py               |   5 +++
 server/vbv_lernwelt/sso/views.py              |  42 +++++++++++++++---
 13 files changed, 53 insertions(+), 48 deletions(-)

diff --git a/client/src/stores/user.ts b/client/src/stores/user.ts
index 1f41d130..d8413709 100644
--- a/client/src/stores/user.ts
+++ b/client/src/stores/user.ts
@@ -5,14 +5,6 @@ import { directUpload } from "@/services/files";
 import dayjs from "dayjs";
 import { defineStore } from "pinia";
 
-let logoutRedirectUrl = import.meta.env.VITE_LOGOUT_REDIRECT || "/";
-
-if (import.meta.env.VITE_OAUTH_API_BASE_URL) {
-  logoutRedirectUrl = `${
-    import.meta.env.VITE_OAUTH_API_BASE_URL
-  }logout/?post_logout_redirect_uri=${window.location.origin}&client_id=iterativ`;
-}
-
 const AVAILABLE_LANGUAGES = ["de", "fr", "it"];
 
 export type AvailableLanguages = "de" | "fr" | "it";
@@ -150,16 +142,7 @@ export const useUserStore = defineStore({
     handleLogout() {
       Object.assign(this, initialUserState);
 
-      itPost("/api/core/logout/", {}).then(() => {
-        let redirectUrl;
-
-        if (logoutRedirectUrl !== "") {
-          redirectUrl = logoutRedirectUrl;
-        } else {
-          redirectUrl = "/";
-        }
-        window.location.href = redirectUrl;
-      });
+      window.location.href = `${window.location.origin}/sso/logout`;
     },
     async fetchUser() {
       const data: any = await itGetCached("/api/core/me/");
diff --git a/env_secrets/caprover_myvbv-prod.env b/env_secrets/caprover_myvbv-prod.env
index e57d1105820c4157d6805e596db4d19d48ddd0ef..13eec0c7af7f289e86933cd2d5ed3ecacf4f4f93 100644
GIT binary patch
literal 936
zcmV;Z16TY2M@dveQdv+`07|TA**CljzJa^mtbb5r0@^FJu8AbgAQLEh^I$GXr0VFb
zy2=xIC_17|*5)&)uqN44=8yL*QE&-irF&T2G@+H*AUjP5N*~yvNmTI);_KYZ7_NPL
zm4zT2v}ko>*PD$`ft>!wFVczh3!lg1F!JO^oa7n~(LwKD6LFy`jYDMvlL>ZwEt1Yp
z0ebagqw;5VR(0@>knx1$mw@jrBcY_j7XfQ)MkDwX9xJG#YrCHSXF7+;e?-jOt^(2N
z<7+VME3pn15z<vtNb3%c=EYruzk`UnTd^LKD@cXsiNPPMedI8(yZNRe9X0It&H<ra
zozIW93&3V8OQl|f{F>xaBcXiclGI)7QS_#pVA4UIO=Bs?lPu3P+r1K4vNPH%jgu!Y
zZQ;o>!@!r91wD0$ySrnTYY&{z<&d|Be<2l0qmm5=86v*la&2-P0n^`>z0)A^4{geZ
zC5RcNG-n}lSJe^BIh(FB5Kky{sZ`71b7WY<-9Fmt<Fw0)F^)_dRbDq@Yaw1D<$nJW
zIs)ystVSDtXE8a;!pF1BrV&C87J+W>q|XCfnUsV%&;+8Tc<~0*poj*Xu?K{I+Ta*2
zyqIdUzRuYN=z8;T*d2>`ArLYqOISde7;xY?g)>`xxNv@L5$wkJa5LUu_NTcc(7CEP
zK6=MhCD%%q{PXy_9lyl1y=MeN-<`;+^+1x>atfd>Bt&BOUb+&!h?ctklny#;Wywd;
z6)Q0KIzHv=fgSK++nv1RmFX~z;v>q$$=ppV?|+SM4KOOgKPn7eaG;>vOwQ||63&c9
zC$Hz!n!6xn^hf=iWX4$$GqS}D;S9O{+p$b=p!43sw6W@<M2<R$*kYB~O&E2eA<@@A
zinzsJL-2q(8q!blC4&s<i8y*gpn@;brHU(83D2F)_Kn)6wv)Gz`XMUexIXU$-!Vez
zSC34Y1T+V6L2)gaQN2_=Gs)nGSIglgGS)b(4a_idH=)|dDm`f3*7S31Bos(;(MGWe
zE`Rq?N)wRpx0J4O!**cW?p4Pmu!LFx423I4Sz@z9!@t0UFApi_;Wb&9O2Q)Us)joV
zqUWyMPj^Oi(cHgOET9d;qsBJVbRi;Kp2$W%f>Z02b0kg?g_sBD*EVYT)piO?lN?16
z8>M-c)L~xV<7zOUX7uis+pRx-6np&68!m|?M=VM$uN#pQ$8@^F&DZ`UcCPbE`O=^2
KN|WtcxiCk}^V1Lj

literal 1104
zcmV-W1h4x5M@dveQdv+`0LjQyb<CDw-$i|OMWattU43?$!Xnv7YicE-33%O}$w|?W
z+^8b;lBx21_foML=25?Ssks=N<T_y*&r+N6$lOPjWv5M=2`Ki#iXu)F^IjL~DR%8n
zLQTsIAOt!pyWy-|(YZ?9z)FJG>L%@FTDC2zfrE&XHL3-iQ2pJoIu{W!8Ei)|@kn56
zLhus`AmlXB7hD-g#s=WXYT|M0J{?12a|{-~u_|JMC%Vl~mi4j~mdicxa7+3xKnF8h
zNbItt&rSN8^cD)Us35Kxy=?t=G0>p#zFk+O-lPk?0~eim>6kL&qJ93^rv#un$5P!^
z5v?y?$a#BfzqCT5(|mTc=m}^RmkwW-^rG@C4XJ&1w*Y0lN<e%I6Nr}zEYx;DfCq^e
zLwOFlHV#?jBfke*)2vXBcCBw^aIRzj*#W2(7b|W-bL8TEo$X&6G@LWr7`uYpQo#NZ
z0WJ1ao+L`xeK5F>*ZLa|e)04N>WbFhHmep;3k5)5Pfq^ujO-_qQFzqMGK0w!#P8ra
z_6-y>rOi&Etb2`1L!l|y@XOX7Jc)+ZGlwj70QEre+H(Jr0bl^Ps!}DTj@<n)1uluY
z_GC%b&hU-jt3Acjls(B{XNLG?kwD)S=FBPpK#6`!oH~fTI2-PNM1Q&rlIEjh>7ZjR
zV*7{BffksAS4Sg?3o%>UhmgMAoZllzuU}Qbb!YES8{YcKM|gJtWkOK8E>29Y8F`6o
z$8}zMPuy>kUHu@SHj{?bqQzVl(s#;uwZC0**e%m?Y91_q3ZgD8qZ4d-?2Kyi?m~#0
zO~DCA!Rc%HH1lMU8((B&a368iT6=^1G>bj9pYQ@Jc!CBSIuK3~G&jn@<%v+6hCeq&
zNINUX`)9nJxpiy$k)&E*iEcLNgs-0jo>7u=Tj`DC-2b!afA2`bNai~1UnGohjc7Jn
zfFewFQU4ZQ5j#*d_pJ<Ba4x0^i*&SX_i3!>`kX7MJLhd6mZ$y)O5BL6{J20z!jsU|
z`n>b@tK4B<#OJ>!-nhLENS5q^<i?9#hf$(~4c<m#;{X5!NY&^3WY)y}O&-nU?Tytz
zH!qE?z$Uks%y{yMWy0*xgvj(RUp?Lz>Qb>r8LNG5DhkX^y7+PCn|6W9twMuLARY;*
z8}M)q$sf&}a*|ZQI$OHqLlfz)QPLjMBmeIA+e+n4E=?naayUBm@nLGwyje)Cwa7V6
z1~u4Rhya}fqU0#1Ge7s#7^7v(4DdD{5QGAcS&lSn*o9`wn1GIw#@p+3sk+P8&n|vn
zdG8|Q)V8UyF)8BK$wN??Q@)v2tY6*$OtdRU&!8Yr!Kw?H7*xsqr4*UrpNX4z5mrbo
zK7l?uHW`eR)zzLXFgkL2hFP!?KtG|2gP#r;ZgC#Np39E|*tvC8_(GZDb#EI&wev;O
WNb!G9O*e1Lkl}avHD90I35!JW@FceY

diff --git a/env_secrets/local_chrigu.env b/env_secrets/local_chrigu.env
index f8d1f1fe4f0132d5dbb4f28bb4b5795d71fab916..6c686f355533be7d8abcc43fab9ee13481ddd522 100644
GIT binary patch
literal 3228
zcmV;N3}f>EM@dveQdv+`0ARP_{WAO#O8;F<DSV+z==gwVoOqMk4-AzKBr^WD=XP4%
zcO$|I$Vy>A(CX(0g<495!5VX3BkDQ(r*I;hIW3%I5%XIL>H=BrcP_aOSpJg@PMALW
zC>J!As&S7?ew23^F)qZKsmPMtp2;o7zZ$mJHERp?kn0LbOkpB*#LhGKX<<e#+ZYMd
zvh&;Ib;Y%FGX$9@qTyJ$?Xkx14UkH5TbfrO-jOkW8#Iwg^OlmjjHe<hyn2nMrr<Fo
z;I7zIhjv2$Z({+vTYm*N$1X>LBjwT=ijG_m8kfzew53Sv7I6G5F7&H1AbZr>ndX}S
zpTrpLYMEy#Y}U4+;ibZb&(?tRW?-48F<Srz9;OZRUFFTU2S215RRSe-T^Xo2o>AYq
z*_-deWKI{HoX725ULM)V*U7p<Q)y|#p#$>!p=)>vM2BA8ejGm2(q0f8q69#SrOOQ$
zjw?o6!lNIuVHeFRM$}gof2qZL+Ba@q9EeR{VVP1Fof1{Hs%Ws@UROguY))?V$b!Gg
z#`SW=v}$T;MsJUtWmb6YXBTkM?sz*}oS${Js{V6i@I0Hyoz|g)gX~q}3Z4Lo47x|&
z`jk2=i~TWiYlw}kuvpu}!VG-@RXxEK75dt%=Y-?vZvix9qrbiqP@??cSy4bObYTm8
zEV`cSNe8rT!AV|v60(4?Q2>os4Ad$H=@}o%9}_eqT!FVrYJ)K`G<NPJIFGU#Pj09=
zsGk>XSNG44yP@VxCkQ|D5PTg%Qph;WVT0uVZB38tKxhTlg994bD@jF|itI`KAIt)i
zjLVwU@AYW-N_akmZ6^n-$#Gv2E-KQw-Wp}n&9jWKIhGOCe+NIBYrTtQQF<U~fL;x<
zJ!H}LO-G`~CrZBCA?^_|Ll{H~&s7xc<kA$|aQ^oKgh^Y)cf*8zqa*@jA<1U5q5=pS
zsy3u;m5t>vI(t2vml!OWIie$KZ`D5kH!$6Q*{lf>bMu#0KWQ?S40+IhCp!-Lyw{?U
z<gRsk`QoU(fUL!vqv$b#5~_aZC1b31D1>SIJ9EmT8MRJoMTA?^)YSxfYQz$#xCGkP
z(rH!$c|cy1lAB|`*#hF~ZWl67tpv2xAw0Q3Pt6lt?aSCJC}5;UqotA9CUsPjmEWab
z+Nik-&aW9TJI<tMek7T6N`pL5!<_Rr`M7v2Y&H;1f}-eZ+kpF4x)`QrFHvHlD$?2)
zpLeiWefCw@^lJsRoD-QUR9#PyvZntw;>55C>|JWp-InPhwSqD}rmh%>Zi&0PHbrEh
zIt02|>_mf?Ckk4!+kBebj{x;><EC6guri?)lz=ckETJ^LZ6cYZ>heV$dPt$RrsC@m
zrZ*~xs7#bfeN0%TC0Z+tZx%N-{F4OW*8()V(`LpkRVXgvQs_EjmGZMHs0=G^AFyL<
z?<x;5p~flspm>p|@TF(=&F`PY5wWLgFIi4)SocL9OxX?IvSqDS!ft$mZYtphZrlFS
z`2BB&H;5Ef$Gjk))A3GELiY9Z%x*pJwrHw{L}SCc;o8Cmf&7hVz6KRog!qW)TZ(Fo
zUQMUFT&?=N!<4&|2J9w#X4E8d*1`uC6sOT)e?y3C&(nGfhR&f~7|8Ik8t_UaPo^Vk
zr)qH`@-=_LHzW>!G#m>hy<u_%HNDr{nO!YDKKPtUVd|!DOrD&`fFhc5!-~2<<%3u{
zsjo$grEq?t+M|}1gjP2WzJxUb;>G+FaX2-lqMnr6B-i+u)|jjMhq}*A0|L(ijTaW-
zmiQmu;<zwq>;LwyA_U<iod2pkg4jma>Y!N<SjuSoC>WBTIQrvYINyq=^SjO$j7O_<
z$W;3I>gadoM><;r33Wcaoz`;)5doLFQ68%<gwcV-_>s~Dg<b<o-A8inC%VY;1dhBR
zPJA$^160ee#sq@dpnvguA8~ZTa-&D3tlIC1;3wqsvd`O&gxgab7-JfjA`yzr3n~`X
ztb!_825%ej^*Riw$bpIRf=^#hh+lF#DX~(50-pw~)>d*hsjZ~(3@JNIO5@FrZH95O
z{^xp*L}zcXdO={Ad$r*?zdF3bkMuiSng&m4?IQNNgrAQt#yPDZ(C`F08>Mwp0jej#
zu!qT$Ugs_^g2fbG`GVr~+fQoD)z`c4M%eJcb0zsNJDzVo6Z>5q&s^>*2h`c72|mV$
z@$!5`dBBGhbF`GAg1VIvrF>PVQP%+YPSP>RdE%HCWlx%g>Pl(}Ho~2BB)otQSSROj
z33}-wN@4$@K~Phbg0++VF9~RzHPdt{4hgAI*s1~xAv(v=5Ov`i?iD7NJ<dLI>)cH^
z^Uh%SQ6fQRKGDZi2y6Q099rTAJQ}GC8fa|rJ#YXgDpeWV2dFZAv#)+lf?ei{{5!fl
zy%MgLM?Qob2_4y1tbtblnK_oyLJx(I%qfAcHW>JO+0YqgX43BU1b|i{DWQ?(t(K^Y
zjT$*AUhOU<ZvJuhD5^A~I?Z7BrqJL5WV6NsAwd}xxPJ#u(p(xEU-s(98sMoyc}<f<
zBc?sD;Z6lzUW@fl^~r9u@$5`|j(glbWf)yUpWa3-5sDi+Sb0K2;ge}g4YJHPe-ws`
z=#BxNJj|gkYT}^<?o2)h?V6`rG}tR(cdgV9&t3)=gyrCdDh}%w8Fu)VAw7-Q>gyA_
z6IH|7=mV>MzTKGR!=`1+VPkvX*|?R{WUMpX%=uttb53~5F;7}!1?>jsyR84-X%8H4
zH3s5q^>ZXBs`i&6Qf8xmhYMoy$4`@6vnOgTRoMH@9Wl3fx8Tt>`}1+9&_?8op@10X
zvjzPW`z(E-ib|NlTLv99#AaYzee2N>o6GuMptuwR+-QkX@zn}xuT>b5zy7Lw6FAc9
z`gG!FY3KB~v){oNN>Z{FuS4n3p+k7)p136RA<pI)ixn-PgNp(;5P<WP<qJ%Lmm@n?
zMrwAwlsUQ0Rwj^z)-2Ycz|PBfzaCsuh#Qx23|N~6U@;rOrIw<5;VbRGzyu*r_9OrE
zq|X0kFeig!`tpV`{!8(`V|$fM(L7MFL?2cOIX*vKVG95-b0faWvyHU<*LI<m+z!8K
zXFGD^SJqb<qXrtIRJB|dbgr#5g*?__w66p?)3^1C<Wl_sK}){l6cPsNGayBiD;S-F
zu>4I`z8#n~K{_@QW<8(7H_gvoS}>;8&Jg#BvV`PTeLuKaOz4oCXr;<%VUH8ay90<Y
z+u*Eqy{{7=%cVyz<JP*sbCMVeW2JTg1H^8VMV%gFY=;1fQbcC8vuYmVrW(uk6*pKj
zcS4f(O6z&m-oZWYB4&L8#VDET+XU0}*2W8i3VgBXudhSNo1{@X%F;|?MFA%;ul-To
zqLvV6h^)K3tzlO%*?HW_pU?2pbF@GfZodgz$yNr{^<19&LuKiA(jq9m+VRi(uS3iA
zB8_I=|Lo5)7YrPuUuAr56@)h+K&C`J=kR-VExJrfN2=LU!d?+^lxX#|OI<pep_o@S
zA|VnKoVWW$r?X5hpF4V9p~Am=+Af;?1J7v6@^OI;w~j)O6yU9c*YyBxzh(b4g<iT@
zalxcNN|7X-gz)G{3taIWY<CDE_d^&}Yh5XBf%V@8;YIQ+e-8f(6Gbz=!rUT~cyUc=
zG=*q`v8K)8nl`p<!jPK+DctdCRHt4!mB%~<qeH=?Qdw~<)9oR|VZe2rT6=#*K}#xK
z2zRxakxx1F49z5*f77txY_TvBM=VY3z$WzJ=#;DG*b~GVk71j&lHcpw8RW$HjBkU)
zCcLsQ9-SeM=YFMDhhy61T6EEG{TJYlZOHYx3AyD!hC%cpKYl4wPc|b!{{Y}OjM^<-
zOclKjcT&p4$c!MA)fUoW0_Gw!rCfyqlmRyGhS)_=l!a4aQ7Uh#?>$<3kn~Qon|Wze
zGQxY}dgeI27xksBiV<HYSY-?dyDLV{hQ2M{zJXgZ%sO{cnN7}y7$z6vI^D;3p976R
zWl%nqqcToZKsH0kNTh>J?`B&FjOBa3n111iM`{#q{`Os0{gQMBZ7_3r;$o+w2`C!$
z;zmHn4hmfGnuqK9-?e4-Hp(g6{x*Yy4JpB-M<7MIf7Av${t4<M!P(#M?qURBjQ39}
z0{CAK-b|NLtl<(`tZ=kBmP@|~Z<{&Vd$(2jb}$=acTB(HAxDcWTy~P7+F(%i3ZUWG
zp3L-?RB9oxVH+t}S`nBKb%>yRoH{;<dlyl%KhpmBeIJRU;8hUSWwi{PM%O1~U(R{p
OA_52K0_362o}$}a)i&(_

literal 3076
zcmV+f4Eyr{M@dveQdv+`0GuvuK7UIF1B}VLp;$&Em|5$T#Q5Rtxw_eLB2NvBUCKqv
z_!5bB_C)$YuWOA<#ZcQik|-ZLBmw+zDZ5fSq%csOS#sCQUN7aKq#}jA7D5_a77Ryj
z7`8mndvaxH4QCGNSwl72Q*J<mfpXpekj&Bzd@_6*!~I?Uw%fn;8r4tPO%KbG3qRgk
z$4(l_iKd{nt5`w^?R!MU-5@v_Ia+-<(lz{*GIRB*a2nPfM&&quO0(men-cOMstNX+
zQNNy&c9%}&oSOLKK?w@rGiK687UWe;$+1s%RB^e#S!%B*<=p|iCuGGNziuiO=|myR
zP257fQ@DEkeZGsy@6r6<o8q&{M?8Q7Tf%G&6B;eIq0rBd+~10}jtWPuR0~+tY#O36
z9`kcg^e~b(x=CSEEIV7|dCm`nVG)tOD-Mj@r{;6~{FquUo93Y?Vm!Ag`qrKmtHMGA
za|EDrq$cB}ezAi{fNMs{Cyc;-J*j)?f0R^f>^ECfS^sLnt>&g`pUm~7n=;7FH9NMQ
zIUzkzPzpbkbp!hvb28g9e58UGfzXKYyS`$O0o(J&d}HY{V<_`gMEqvr=l{PZ{R23Q
z<Cn9}?{xFpn4KmKe|N|1o`E82Mut7v5v@{4)xCw(=fk00FA$5AuzA@g^-VH!M#sBC
zSEP@5dq6hF>2g|!ahlAJxL+h*@g>jMx+Zr*09=9w3xy_bBymOK<?VC#Tcay0T&MD5
z(q5-)ErykzB@uW>X5YXRw-w4+P;Dh6V(QN#D_n?=$(s=lNrIt&dLDR9R^3k9JTPRA
zo48r+(IF!^tU22>634=|gVS>6rz~@za2JR51kT(5tQks2Qh;635J}z#wyIHq1s-h1
z#?O?GwUM8VF?lk@7IG%>elb@F*T7oB>~(o&amA<?Nx1<dG?LxWU06r}f~^%2Zz{Cp
zWL106Gy{-_m%MqK!3ywC@~Ex3oJBaB9IG-?pBHkp!st94;oJC;%fR+}%iDcg0rYtn
zn913XKWeG#OpH@?Fvh3!40tFXPI}HwyHe{iHEf>)OpMFPqZeCF;9)Ux1&0Fm$K`A`
z**wXGw3lmq#l5(AqUBmbkQV9oeknO}3wW}L%^e;VFk`=CgQt=a#j$Pv_8#f#s3bwz
z14?e<1<OAYw4*eYmL_&G>Ry&p_!@K84dSP-q6M~>s_t`OQ337V*h1|za+3JWxS=xY
zVOe@?#mY`e?Y)oB!RqSkY(r32!~~jGTDUVS4-xBRC&g4rjlkBo@Kc`Y210y=Rt3V0
ze(e9xKe%w2DD`|h=zxU|EY5Z&2b#wLwYnHz`LJciut(<h?q^bm1Ej|a299Ie?sp|D
z2APMk+DAj!z6IRgJ#(YQ*O*fNorn@{ZK*q+A+6ldxYT#sDD};g)16sIcLk$<Vm&lU
z5yBfcMWP+<RszsgB1r-B&BH<s<*ZS;z~^rw#O(zh>S9m-HOEwq#<iF?f_!}NXj6>2
z1mpy>-CWxTrGz{4gF0_H&-+_4JpqtfU)JFTZqnZ9Eg{6(;{?Iw3<VtcDzu~YY`Ff~
z-{^qzevOntdZ=%K&Yd6e{Y()53ozTM?pFPf)B9?E(%Z7Ft=|yQCbQWs!;m<5p0ST?
zK<CbW!uQ;xr7rbH8a}y6f*Sg-VDTL&8vY+$cLok1>Nghh7sX6ii|zlnb{^M#%5@X$
zr3Nl2>y8$<5-%kwa(@B;<%t#XD<D(v?%mU9`Xkl{;Cx1JhSyYe`4;D^sIW{twYS|=
zHQE&-NjGUNRgQ8kkIH-~%cV$R3fTU){!?J?kqBcSP{!&~E?0^4rvmu4!4+DJYz??l
zy!dyII+SFJJ*cb8U}J-xqC0%^U+>_lvBntvP<HqK3;&FdJ|E_j_rYM{FQ&~w`&AN8
zmj+;Olk7}4kxHA3=z4=KW&G0f9LKO81}s-K)iqh9b2q<Z7)iXl<ep)whLb_KP+FCc
zNd;O7Rrp;XC9*kaWfLBCY?`&a4E&@ZQ)@sOh%qyF5s9!1drk*%lcp>Aey4S<txI{g
z`3=sGs02nYC2iImp$kYV^jc9xbv5fHlt+>zn?T=m^)Dk>9^Dq0+8MIpYS&ekY7h@b
z<>3F^)m%d8#!|G3BSeWX;`W_%Ryy`=!HV5+b`Z6L-<7i!n{$4~1%Tc7anupuCx9@f
z^8keYpRp{eap)!fb*z*8e?d<IFh^xlJ7ec5&h_mdI1IZZV?lJ7i(8yygGBoN(}I-L
zqD@;6r~twBw2tTk9&h%ifTHp;ql<i<mvOk=cyS<xig4qVgb7X$7fxqXwk&+f9FYgt
zM{Ou~mkDSr!Im$^wllEBQRUq{XYPQw#;#DUz+OxNyus-!HZ9>grZnEh<b~p0^oc9e
zdHHPWV-p-aD(=#VaY_DD&?9pb;GP1f2vbZXPr7`n{qX5g6^vV2aY&Z+Pj5;3F`?`4
zkHX&)<vjc*WBj`zqLCy)0$~s9HE8^CMo$NOw}V_2mG^mBHC^;xfm|`e89qsBrtbC(
zRV_oRl$2$4aBIZypt&+aUX39u_*59Z(H@UQYO`2-bfq~Bk&rc=dr_hUw?NGGw{Pdq
zfOsg(Uz{vN>EHH9)B4dDkK@bY-=dpvQE;X>M<o{5Rr)zev_S=^#FH%}mZDp<5VFCN
z%MqU}w?h`_PyBZ$3*jbV0sH0X$VbAb?`DlNz@MC)I%pEqWfqp-ghAp)1%HK^L<ZFa
z9HIV4%#I!P?~feYXIr#h_G*`b+KTYr#Ps0zB-D_nJ-gG{x^|I}UFC6pD!yVwrL4Y<
zAjI-DzaiRNcTuH$DHD?3mXCS8yBz-ZSK4#OXFd#fh8L_Z8oD?RU|2ea0>oylX}Bl>
z_ndq%lTxMN9XECfK2+ZfUBKqWhn7fi4nh7*HU|#<Vo5Ug00NduG{{wuHe~Te<7#2B
z?<k?rSQ6Y^<rq39!{|CGYb=z-r1so8g2*2(Fsygf_XTN<o>iQX^aa%Q-$AHUGxv#8
z#*KLfo*#WNxmC*qqm_Ws`9S<C83GZqZ0Z4iS!*DZW)VrNXH5g_Bz*Fhz^(JdIoj9L
zalPma51kA%tOFFy$J^Gw$#{c}Z7nba`qm0^s+gCj#sRMn(c<`J$=~I-KGSUK+P|Fc
zu}BPOKTwmNda)}Ng7JWD$xhPVB{ZkD`Z^~vcyq~v8mi}bQB(y~)5+Nul)#$X>U$<Q
z5|2cf78o_#2|m$NiO3X7QY_bz7Anw7J?-x+@eL$%L%rB((%<eq&oy@ZB?C&4llM)3
zhc7dJz4EJy?)AB1-eUTaOEI`fEvUU2bF3Bbzl2+0KsVgG(N7?rb4u^L|Gy8{fVOcw
z)RD-<R)wePTMcn}z?Fw3iASi1$L7MXo-9p_aRW3~UjvI`UwT=E8|cdN-1mt+)~GEv
z!JPd$F1o7__8&r7ar4U$*s}p|f>KSd_s<qWZs*fuEq*iTgz@_;TLMbRtYM2gW|NVL
zO)XJW343CZG%_YgOX8>C(Q95)fXFP9PEUyN5|D2kMwWqsfzZeQ?we6!|I54j*hbu%
zed-A05#vt87|c)E9h`;Av!UJB0QM?GYW|qlY$S*EqcI;|Z0GMS#LAHV6lY(D_+E@n
zp1;y;M6Kj@<3c8SXC?h;!!I30Q`KkH0{!g}b)j85FOes=eBgS+Wq`guR%^PMX=+93
zT#>t7?B8a4<TrwwYMA6Qf%Hu(s9hK0E5~Z@pqy%f)G25IKzd<rgoSqBu^aR(?)j3E
zXZhV0jhM)$#^#&aS;t)@Ra=M|p#j|c_nbnjx}wt(DGA_DBOi@0;lEU!CysIgZJojL
z78>u1;OeNj{nK#y&!dj`ACrQ@C=@mS(@+{^5Ivwpybk->76nyl#4(r`Pg0k4>+R_!
zaehfP`E7fd>((P5Ly9e+c#j^q;Q|Cn>?G=|u3?%?ZNQKdme3ZxVnfTzE85}lRmu+G
zQwI3n{+7sMI6Lz59pVnMW*%9esfTAg0EnukifKDQbi^LCs~tQqQ&(SUTfP25$s_lh
SG|qQ$W<Mq%<a}XK$+ZQyfd|z9

diff --git a/server/config/settings/base.py b/server/config/settings/base.py
index 2f79e970..68710668 100644
--- a/server/config/settings/base.py
+++ b/server/config/settings/base.py
@@ -639,6 +639,8 @@ OAUTH_SIGNIN_REDIRECT_URI = env(
     "OAUTH_SIGNIN_REDIRECT_URI", default="http://localhost:8000/sso/callback"
 )
 
+OAUTH_LOGOUT_REDIRECT_URI = env("OAUTH_LOGOUT_REDIRECT_URI", default="")
+
 OAUTH_SIGNIN_URL = env("OAUTH_SIGNIN_URL", default="")
 OAUTH_SIGNIN_REALM = env("OAUTH_SIGNIN_REALM", default="vbv")
 OAUTH_SIGNIN_ADMIN_CLIENT_ID = env("OAUTH_SIGNIN_ADMIN_CLIENT_ID", default="")
diff --git a/server/config/urls.py b/server/config/urls.py
index 0077db32..7789d41b 100644
--- a/server/config/urls.py
+++ b/server/config/urls.py
@@ -29,7 +29,6 @@ from vbv_lernwelt.core.views import (
     rate_limit_exceeded_view,
     vue_home,
     vue_login,
-    vue_logout,
 )
 from vbv_lernwelt.course.views import (
     course_page_api_view,
@@ -124,7 +123,6 @@ urlpatterns = [
 
     re_path(r'api/core/login/$', django_view_authentication_exempt(vue_login),
             name='vue_login'),
-    re_path(r'api/core/logout/$', vue_logout, name='vue_logout'),
 
     # notifications
     re_path(r'^notifications/', include(notifications.urls, namespace='notifications')),
@@ -241,7 +239,7 @@ urlpatterns = [
     # testing and debug
     path('server/raise_error/',
          user_passes_test(lambda u: u.is_superuser, login_url='/login/')(
-             raise_example_error) ),
+             raise_example_error)),
     path("server/checkratelimit/", check_rate_limit),
 
 ]
diff --git a/server/vbv_lernwelt/core/views.py b/server/vbv_lernwelt/core/views.py
index 191ccc40..896041af 100644
--- a/server/vbv_lernwelt/core/views.py
+++ b/server/vbv_lernwelt/core/views.py
@@ -5,7 +5,7 @@ from pathlib import Path
 import requests
 import structlog
 from django.conf import settings
-from django.contrib.auth import authenticate, login, logout
+from django.contrib.auth import authenticate, login
 from django.core.management import call_command
 from django.http import (
     HttpResponse,
@@ -96,12 +96,6 @@ def vue_login(request):
         )
 
 
-@api_view(["POST"])
-def vue_logout(request):
-    logout(request)
-    return Response({"success": True}, 200)
-
-
 def permission_denied_view(request, exception):
     return render(request, "403.html", status=403)
 
diff --git a/server/vbv_lernwelt/course_session/views.py b/server/vbv_lernwelt/course_session/views.py
index 8839da3b..b3d45e29 100644
--- a/server/vbv_lernwelt/course_session/views.py
+++ b/server/vbv_lernwelt/course_session/views.py
@@ -4,9 +4,7 @@ from rest_framework.response import Response
 
 from vbv_lernwelt.course.models import CircleDocument
 from vbv_lernwelt.course.serializers import CircleDocumentSerializer
-from vbv_lernwelt.iam.permissions import (
-    has_course_session_document_access,
-)
+from vbv_lernwelt.iam.permissions import has_course_session_document_access
 
 
 @api_view(["GET"])
diff --git a/server/vbv_lernwelt/dashboard/graphql/types/dashboard.py b/server/vbv_lernwelt/dashboard/graphql/types/dashboard.py
index 43d2b56d..95480e26 100644
--- a/server/vbv_lernwelt/dashboard/graphql/types/dashboard.py
+++ b/server/vbv_lernwelt/dashboard/graphql/types/dashboard.py
@@ -30,9 +30,7 @@ from vbv_lernwelt.dashboard.graphql.types.feedback import (
 from vbv_lernwelt.learning_mentor.models import AgentParticipantRelation
 from vbv_lernwelt.learnpath.models import Circle
 from vbv_lernwelt.shop.models import CheckoutInformation, CheckoutState
-from vbv_lernwelt.shop.views import (
-    COURSE_SESSION_ID_TO_PRODUCT_SKU,
-)
+from vbv_lernwelt.shop.views import COURSE_SESSION_ID_TO_PRODUCT_SKU
 
 
 class StatisticsCourseSessionDataType(graphene.ObjectType):
diff --git a/server/vbv_lernwelt/dashboard/views.py b/server/vbv_lernwelt/dashboard/views.py
index d7e54ec5..16d2608a 100644
--- a/server/vbv_lernwelt/dashboard/views.py
+++ b/server/vbv_lernwelt/dashboard/views.py
@@ -24,10 +24,7 @@ from vbv_lernwelt.competence.services import (
     query_competence_course_session_edoniq_tests,
 )
 from vbv_lernwelt.core.models import User
-from vbv_lernwelt.course.models import (
-    CourseConfiguration,
-    CourseSessionUser,
-)
+from vbv_lernwelt.course.models import CourseConfiguration, CourseSessionUser
 from vbv_lernwelt.course.views import logger
 from vbv_lernwelt.course_session.services.export_attendance import (
     ATTENDANCE_EXPORT_FILENAME,
diff --git a/server/vbv_lernwelt/iam/tests/test_permissions.py b/server/vbv_lernwelt/iam/tests/test_permissions.py
index 2678502e..5194710b 100644
--- a/server/vbv_lernwelt/iam/tests/test_permissions.py
+++ b/server/vbv_lernwelt/iam/tests/test_permissions.py
@@ -7,9 +7,7 @@ from vbv_lernwelt.course.creators.test_utils import (
 )
 from vbv_lernwelt.course.models import CourseSessionUser
 from vbv_lernwelt.course_session_group.models import CourseSessionGroup
-from vbv_lernwelt.iam.permissions import (
-    has_course_session_document_access,
-)
+from vbv_lernwelt.iam.permissions import has_course_session_document_access
 from vbv_lernwelt.learning_mentor.models import (
     AgentParticipantRelation,
     AgentParticipantRoleType,
diff --git a/server/vbv_lernwelt/importer/services.py b/server/vbv_lernwelt/importer/services.py
index 2e5894d5..5f8beab4 100644
--- a/server/vbv_lernwelt/importer/services.py
+++ b/server/vbv_lernwelt/importer/services.py
@@ -496,6 +496,7 @@ def create_or_update_user(
     contract_number: str = "",
     date_of_birth: str = "",
     intermediate_sso_id: str = "",  # from keycloak
+    id_token: str = "",  # used for sso logout
 ) -> User:
     logger.debug(
         "create_or_update_user",
@@ -544,6 +545,9 @@ def create_or_update_user(
     user.update_additional_json_data({"intermediate_sso_id": intermediate_sso_id})
     init_notification_settings(user)
 
+    if id_token:
+        user.update_additional_json_data({"id_token": id_token})
+
     user.set_unusable_password()
     user.save()
 
diff --git a/server/vbv_lernwelt/sso/urls.py b/server/vbv_lernwelt/sso/urls.py
index ba607c3f..9713edfe 100644
--- a/server/vbv_lernwelt/sso/urls.py
+++ b/server/vbv_lernwelt/sso/urls.py
@@ -12,4 +12,9 @@ urlpatterns = [
         django_view_authentication_exempt(views.authorize_signin),
         name="authorize",
     ),
+    path(
+        r"logout/",
+        django_view_authentication_exempt(views.logout),
+        name="logout",
+    ),
 ]
diff --git a/server/vbv_lernwelt/sso/views.py b/server/vbv_lernwelt/sso/views.py
index a665d7af..bae5040b 100644
--- a/server/vbv_lernwelt/sso/views.py
+++ b/server/vbv_lernwelt/sso/views.py
@@ -5,6 +5,7 @@ import structlog as structlog
 from authlib.integrations.base_client import OAuthError
 from django.conf import settings
 from django.contrib.auth import login as dj_login
+from django.contrib.auth import logout as dj_logout
 from django.shortcuts import redirect
 from sentry_sdk import capture_exception
 
@@ -97,7 +98,7 @@ def authorize_signin(request):
             capture_exception(e)
         return redirect("/")
 
-    id_token = decode_jwt(jwt_token["id_token"])
+    id_token_decoded = decode_jwt(jwt_token["id_token"])
 
     state = json.loads(
         base64.urlsafe_b64decode(request.GET.get("state").encode()).decode()
@@ -108,17 +109,44 @@ def authorize_signin(request):
 
     logger.debug(
         f"SSO Authorize (course={course}, next={next_url}",
-        sso_authorize_id_token=id_token,
+        sso_authorize_id_token=id_token_decoded,
     )
 
     user = create_or_update_user(
-        email=id_token.get("email", ""),
-        sso_id=id_token.get("oid"),
-        first_name=id_token.get("given_name", ""),
-        last_name=id_token.get("family_name", ""),
-        intermediate_sso_id=id_token.get("sub"),
+        email=id_token_decoded.get("email", ""),
+        sso_id=id_token_decoded.get("oid"),
+        first_name=id_token_decoded.get("given_name", ""),
+        last_name=id_token_decoded.get("family_name", ""),
+        intermediate_sso_id=id_token_decoded.get("sub"),
+        id_token=jwt_token["id_token"],
     )
 
     dj_login(request, user)
 
     return get_redirect_uri(user=user, course=course, next_url=next_url)
+
+
+def logout(request):
+    user_data = (
+        request.user.additional_json_data if request.user.is_authenticated else {}
+    )
+    dj_logout(request)
+
+    redirect_uri = getattr(settings, "OAUTH_LOGOUT_REDIRECT_URI", "/")
+
+    # Handle scenarios when SSO-related data is missing, assume local login
+    if not user_data.get("intermediate_sso_id"):
+        logger.debug("SSO Logout", extra={"mode": "intermediate_sso_id_not_set"})
+        return redirect("/")
+
+    # Temporary solution if id_token is not set in the user data, can be removed after rollout + 2 weeks
+    id_token = user_data.get("id_token", "")
+    if not id_token:
+        logger.debug("SSO Logout", extra={"mode": "id_token_not_set"})
+        return redirect(f"{redirect_uri}&client_id=iterativ")
+
+    # Handle scenarios when SSO-related data is present or redirect_uri is not set
+    if not redirect_uri:
+        logger.debug("SSO Logout", extra={"mode": "redirect_uri_not_set"})
+        return redirect("/")
+    return redirect(f"{redirect_uri}&id_token_hint={id_token}")