do an idp logout even when oidc.isAuthenticated is false

[tusharpandey13]

This PR solves the following issue (this was reported in an ESD):

express-openid-connect does not do IdP logout if no local session is found

The logout() code checks for an existing app session and, if not found, returns:

async logout(params = {})
  
  [...]
  
  if (!req.oidc.isAuthenticated()) {
    debug('end-user already logged out, redirecting to %s', returnURL);
    return res.redirect(returnURL);
  }
  
  [...]
  
  // idp logout comes later
  returnURL = client.endSessionUrl(...)
  res.redirect(returnURL);
}

(code)

The problem with this logic is that there are cases where the application session might be shorter than the Auth0 session. In those cases the IdP logout won’t be requested, but our customers (and their users) might still expect the logout action to terminate the Auth0 session (assuming idpLogout is true).

While the behavior is documented in this sequence diagram, it’s like to go unnoticed, and probably unexpected.

I think we should do the IdP logout if idpLogout is set to true even if isAuthenticated() returns false. We won’t have the id_token_hint to include in the request, but it’s not a mandatory parameter.