Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

The current implementation of the logout endpoint, when passing the parameter id_token_hint without any session cookie, logs out the user session but does not take into account that an authentication session can be still present. Since the improvements to manage the already logged in issue (https://github.com/keycloak/keycloak/issues/23879), the authentication session can be maintained a few seconds after authentication to allow other tabs to automatically log in. But if, for whatever reason, a tab was closed or does not refresh, the auth session will be present a short period (60s). During those 60s the logout can remove the session but not the associated auth session that can be a problem for a subsequent login.

This is a corner case that only happens in those conditions and for 60s. But we need to also remove the authentication session when present in that logout (like it's done when using refresh_token for example).

Version

26.4.2

Regression

[ ] The issue is a regression

Expected behavior

The authentication session should be removed in that situation.

Actual behavior

The authentication session remains for 60s by default and can re-use the same ID.

How to Reproduce?

See description.

Anything else?

No response