Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RP-initiated logout post_logout_redirect_uri is not validatable #179

Open
rbclark opened this issue Nov 9, 2022 · 0 comments
Open

RP-initiated logout post_logout_redirect_uri is not validatable #179

rbclark opened this issue Nov 9, 2022 · 0 comments

Comments

@rbclark
Copy link

rbclark commented Nov 9, 2022

I was reading through the OpenID Connect RP-Initiated Logout Spec and I noticed that regarding the post_logout_redirect_uri it mentions:

The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism.

Looking at the current end_session_endpoint implementation, it does not provide a way to validate the post_logout_redirect_uri as the spec requires.

For context, the way I'm handling the end_session_endpoint at the moment is as follows:

  1. On the OP I have this gem configured with:
  end_session_endpoint do
    Rails.application.routes.url_for({host: ENV["HOST_URL"]}, :destroy_user_session)
  end

and I have my devise after_sign_out_path set to

  def after_sign_out_path_for(resource)
    if params[:post_logout_redirect_uri].present?
      params[:post_logout_redirect_uri]
    else
      super
    end
  end
  1. In my application (using https://github.com/omniauth/omniauth_openid_connect) I am POSTing to /auth/sso/logout which uses the end_session_endpoint and is working properly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rbclark