Hi everyone,

I’m integrating Streamlit’s new authentication feature (introduced in v1.42) with Authelia as my identity provider. To achieve this, I use a Traefik proxy middleware that authenticates the user, and within the Streamlit app, I validate the headers returned by the proxy.

Currently, st.logout() only clears the user’s st.experimental_user session and deletes the identity cookie, but it does not log the user out from the identity provider. As stated in the documentation:

This does not log the user out of their underlying account from the identity provider.

I could implement a simple st.button that calls st.logout(). However, since st.logout() doesn’t revoke the session on the identity provider, the user remains logged in and can continue using the app as long as their token is still valid.

Authelia provides a logout URL (https://auth.example.com/logout) that successfully terminates the session. However, I haven’t found a way to, in a single button click, both:

• Run st.logout() (to clear st.experimental_user and delete the cookie).
• Open the Authelia logout URL in a new tab or redirect the user, ensuring their session is invalidated on the identity provider.

So, my questions are:

• Is there a way to combine st.logout() with opening a new tab for the identity provider logout?
• Are there any best practices for handling full logout in an OIDC-based setup?
• Do you have a different approach to handle this use case?

Thanks in advance for any insights!