We use play-pac4j in CiviForm, an open-source, public interest project. I am working on providing logout support for OIDC (see GitHub issue).
As suggested in Getting ID Token for Logout, I am revising our code to store an instance of a custom subclass of OidcProfile in the session. However, one aspect of the default handling puzzles me: when the callback is processed, the profile is scrubbed in such a way that the id_token is removed from the profile before it is stored in the session. This puts me back at square one: the id_token is not available in the profile to be populated in the logout request.
I can get around this by overriding removeLoginData() in my custom subclass of OidcProfile such that it does not remove the id_token. Is that a bad idea? I'm a little wary of doing this without understanding why the id_token is being removed in the base implementation.
The ID token (like the access token) is removed from the OIDC profile because of the storage you pick: PlayCookieSessionStore.
The size of the cookie is limited so this is necessary to limit the size of the profile.
Use the PlayCacheSessionStore to be able to store the whole profile: https://github.com/pac4j/play-pac4j/wiki/Security-configuration#2-choose-the-right-sessionstore