feat: support EndSession with RelyingPart client

pkg/client/client.go

@@ -2,6 +2,7 @@ package client
 
 import (
 	"net/http"
+	"net/url"
 	"reflect"
 	"strings"
 	"time"
@@ -74,6 +75,32 @@ func callTokenEndpoint(request interface{}, authFn interface{}, caller TokenEndp
 	}, nil
 }
 
+type EndSessionCaller interface {
+	GetEndSessionEndpoint() string
+	HttpClient() *http.Client
+}
+
+func CallEndSessionEndpoint(request interface{}, authFn interface{}, caller EndSessionCaller) (*url.URL, error) {
+	req, err := httphelper.FormRequest(caller.GetEndSessionEndpoint(), request, Encoder, authFn)
+	if err != nil {
+		return nil, err
+	}
+	client := caller.HttpClient()
+	client.CheckRedirect = func(_ *http.Request, _ []*http.Request) error {
+		return http.ErrUseLastResponse
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	location, err := resp.Location()
+	if err != nil {
+		return nil, err
+	}
+	return location, nil
+}
+
 func NewSignerFromPrivateKeyByte(key []byte, keyID string) (jose.Signer, error) {
 	privateKey, err := crypto.BytesToPrivateKey(key)
 	if err != nil {

pkg/client/rp/relying_party.go

@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
@@ -577,3 +578,13 @@ func RefreshAccessToken(rp RelyingParty, refreshToken, clientAssertion, clientAs
 	}
 	return client.CallTokenEndpoint(request, tokenEndpointCaller{RelyingParty: rp})
 }
+
+func EndSession(rp RelyingParty, idToken, optionalRedirectURI, optionalState string) (*url.URL, error) {
+	request := oidc.EndSessionRequest{
+		IdTokenHint:           idToken,
+		ClientID:              rp.OAuthConfig().ClientID,
+		PostLogoutRedirectURI: optionalRedirectURI,
+		State:                 optionalState,
+	}
+	return client.CallEndSessionEndpoint(request, nil, rp)
+}