I'd like to log out user without destroying app state of SPA - it means without reload or redirecting after requesting end session endpoint.

The current logout flow

const { logout } = useOidc();
logout();

changes url or reloads the single page application when used.

This can be hacked by code like this

const oidcClient = OidcClient.get();
oidcClient.publishEvent('logout_from_same_tab', {});
await (oidcClient as any)._oidc.destroyAsync('LOGGED_OUT');

// + custom logic to fetch the end session endpoint not following redirects

However this is a bit hacky to use internal _oidc property since v. 6x added OidcClient and hid destroyAsync by the OidcClient interface.

Would it be possible

• add an option that would log the user out without reloading or redirecting (xhr/fetch request with not followed redirection).
• an option to disable reloading or redirection after logout or a method that would gracefully end the client session
  Or do you think this is not possible because it's not safe?

Some ideas

const oidc = useOidc();

oidc.logout({ noReload: true }); // would contact the auth server by fetch request and ignored returned location change (redirect)

oidc.clientOnlyLogout(); // the same as above

oidc.silentLogout(); // the same as above

oidc.destroy(); // this would do all logout except contacting the auth server (could be used by the logout methods)

oidc.endSession(); // the same as above

Note: It may happen that CSP policies prevent rendering in an iframe, so the silent logout in iframe isn't the way.

• Installed packages:
  "@axa-fr/react-oidc": "7.15.4",