At least in the latest spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Currently Hydra uses id_token_hint to determine if logout is RP-initiated or OP-initiated. I do not think this is possible by relaying on id_token_hint.

Looking at the implementation of issueLogoutVerifier I think the logic is correct (if id_token_hint is missing, you ask for consent, if it is p

Is your feature request related to a problem? Please describe.

The public key-based request signing functionality added to sso_proxy in buzzfeed/sso#106 is undocumented. In particular, it's not immediately obvious how to a) generate an appropriate keypair or b) validate a signed request in an upstream service.

Describe the solution you'd like

New documenta

If I am correct then currently no (prometheus) metrics are provided.

Was wondering what is the reason? Is there is any plan to implement them?

I know I would like to see some metrics about how many users are authenticated, how many redirected to 'login' page, for how many authentication fails etc

Not seeing how I'd be able to do that. the step certificate create -csr seems to expect to create a new private key