Logout fails with 500 error when OpenID provider does not expose a revocation_endpoint

[ps-rseidl]

Describe the Bug

When logging out via an OpenID Connect provider that does not expose a revocation_endpoint in its discovery document (e.g. Microsoft Entra ID / Azure AD), the logout request fails with a 500 error.

The error is:

TypeError: revocation_endpoint must be configured on the issuer

This happens because baseoauth.ts → logout() unconditionally calls client.revoke() without first checking if the provider supports token revocation. Token revocation (RFC 7009) is an optional OAuth extension — not all providers implement it. Azure AD notably does not include revocation_endpoint in its /.well-known/openid-configuration.

The auth_data is never cleared, so the stale refresh token persists in the database. On the next login, the user may encounter issues with the old session data.

Expected behavior: Logout should succeed. If the provider doesn't support revocation, skip the client.revoke() call and still clear auth_data from the database.

To Reproduce

1. Configure an OpenID Connect provider that does not expose a revocation_endpoint (e.g. Microsoft Entra ID / Azure AD)
2. Log in via the OpenID provider
3. Log out via POST /auth/logout
4. Observe 500 error with message: revocation_endpoint must be configured on the issuer

Stack trace:

TypeError: revocation_endpoint must be configured on the issuer
at assertIssuerConfiguration (openid-client/lib/helpers/assert.js:17:11)
at Client.revoke (openid-client/lib/client.js:1371:5)
at OpenIDAuthDriver.logout (auth/drivers/baseoauth.js)
at AuthenticationService.logout (services/authentication.js)

Directus Version

v11.0.8

Hosting Strategy

Self-Hosted (Docker Image)