Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

RP-initiated logout post_logout_redirect_uri is not validatable #179

Open
rbclark opened this issue Nov 9, 2022 · 0 comments
Open

RP-initiated logout post_logout_redirect_uri is not validatable #179

rbclark opened this issue Nov 9, 2022 · 0 comments

Comments

@rbclark
Copy link

rbclark commented Nov 9, 2022

I was reading through the OpenID Connect RP-Initiated Logout Spec and I noticed that regarding the post_logout_redirect_uri it mentions:

The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism.

Looking at the current end_session_endpoint implementation, it does not provide a way to validate the post_logout_redirect_uri as the spec requires.

For context, the way I'm handling the end_session_endpoint at the moment is as follows:

  1. On the OP I have this gem configured with:
  end_session_endpoint do
    Rails.application.routes.url_for({host: ENV["HOST_URL"]}, :destroy_user_session)
  end

and I have my devise after_sign_out_path set to

  def after_sign_out_path_for(resource)
    if params[:post_logout_redirect_uri].present?
      params[:post_logout_redirect_uri]
    else
      super
    end
  end
  1. In my application (using https://github.com/omniauth/omniauth_openid_connect) I am POSTing to /auth/sso/logout which uses the end_session_endpoint and is working properly.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rbclark