-- OIDC back-channel logout support. -- The provider issuer identifies the IdP (validated against the logout token's -- `iss` and used for OIDC discovery of the JWKS). The session sid records the -- IdP session id (`sid`) captured from the ID token at login, so a back-channel -- logout token scoped to a `sid` can terminate exactly the matching session(s). ALTER TABLE auth_providers ADD COLUMN oidc_issuer TEXT NOT NULL DEFAULT ''; ALTER TABLE sessions ADD COLUMN oidc_sid TEXT NOT NULL DEFAULT ''; CREATE INDEX IF NOT EXISTS idx_sessions_oidc_sid ON sessions(oidc_sid) WHERE oidc_sid != '';