Logout on end_session_endpoint only triggered on request paths ending in /sign_out

The Bug

I write this issue, because I'm working on a project trying to use omniauth in mastodon. Despite the discovery option being set to 'true', the end_session_endpoint is never called and a user trying to log out of mastodon is not logged out of the IDP.

This is an obvious security risk. And I believe this is the library used by Mastodon to handle OIDC, because it includes the ``gitlab-omniauth-openid-connect` gem, which links to this repository.

The Cause

After a brief analysis of the lib/omniauth/strategies/openid_connect.rb file, I believe that the end_session_endpoint is not called, because it is only triggered for request paths ending in /logout.

Mastodon's logout URI though is /auth/sign_out and thus does not match the logout_path_pattern which checked against to trigger a logout.

The Solution

I think it is a bad idea require all apps to suffix all their logout paths with /logout. The easiest change, would be to allow for an override of the /logout part by an arbitrary suffix through an non-required option.

I'll provide an MR doing just this, unless my analysis of the bug and it's cause is flawed.