[LG-7878] Fully remove SP session during unconfirmed OIDC logout

[orenyk]

Resolves LG-7878

🎫 Ticket

https://cm-jira.usa.gov/browse/LG-7878

🛠 Summary of changes

Add an option for delete_branded_experience to remove the SP session and use it during OIDC logout to ensure that users that elect not to terminate their Login.gov session don't end up being prompted to return to the SP that logged them out.

📜 Testing Plan

Provide a checklist of steps to confirm the changes.

• Visit OIDC sample app
• Sign in
• Sign out
• On confirmation page, choose not to sign out from Login.gov and visit account page

Expected: There will be no alert prompting the user to return to the SP

[orenyk]

Build failure is a time zone issue - should pass tomorrow

[mitchellhenke]

Should we do this on every branded experience deletion?

[jmhooper]

I'm wondering the same. Looking at all the places where this is used and I don't think I see one where that would be inappropriate to remove the sp session.

[mitchellhenke]

The one thing it would potentially break is the sp bounce check which gets stored in the SP session (but we've discussed moving it into the user session)

[orenyk]

@mitchellhenke @jmhooper In the interest of time I'd like to propose keeping this the way it is - leaving delete_branded_experience the same for existing use cases that aren't part of logout requests and additionally clearing the session[:sp] in logout / auth terminating flows. We can have Katherine refactor after the bug is fixed, I'd just rather not touch the sp bounce code since that's not something I'm familiar with. Does that make sense?