I have a workflow where we need to be able to authenticate different users to the dashboard, and also properly log them out, as the dashboard contains sensitive data. The current implementation of st.login is rather inflexible and this causes some issues.

Most notable of these is that logout functionality is incomplete, as it only deletes the streamlit auth cookie but does not actually inform the oauth provider that a logout was performed.
Which is a bit of an issue, as our oauth provider seems to keep its own session cookies and without clearing these, it bypasses the login screen next time st.login is called. Which means next time anyone tries to log in at that computer, they get the previous person’s account. Looking at the code, it seems that end_session_endpoint is ignored in the logout flow.

The other, more minor issue is that I would like to be able to refresh the user data from the oauth provider. This is mainly to allow the user to change their account settings (like language). Under normal circumstances, I would just refresh the user token with the refresh endpoint, but no such function exists right now for st it seems.

Thirdly, I would like to use the acces token for additional api calls to the oauth provider (such as to set preferences like language for the logged in user). I can work around it right now by essentially giving streamlit admin credentials which allows doing requests on other users behalf, but it leads to more surface to make security-critical bugs in the code. I’ve looked into the streamlit codebase, and found that streamlit session cookie only keeps user data, but for some reason discards all the tokens (access, refresh, id). Is there a reason why they are not included in the cookie?

I should have some free time over the summer, so I would be happy to put together PRs to fix these issues. But it would be good to first know if this makes sense from someone in the core dev team.