Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

The use of "post_logout_redirect_uri" #956

Closed
iltera opened this issue Feb 20, 2015 · 7 comments
Closed

The use of "post_logout_redirect_uri" #956

iltera opened this issue Feb 20, 2015 · 7 comments
Labels

Comments

@iltera
Copy link

iltera commented Feb 20, 2015

I am opening this issue as a follow up of this issue and some discussion we made with some other developers on gitter.

By using a id_token_hint, we can bypass the logout confirmation and show a url (registered in "PostLogoutRedirectUris") on the logged out page.

As I understand from the docs, post_logout_redirect_uri parameter should provide a redirect to the provided url. But as @brockallen said in the previous issue, I understand now that there is no redirection in Idsrv in the logout process.

As post_logout_redirect_uri is not really used for redirection, what does it used for? The url for returning the application is provided by id_token_hint. Then, what does post_logout_redirect_uri do exactly?

P.S. I really think that docs should be updated to remove the word "redirect" in post_logout_redirect_uri explanation. It was confusing for me, as it might be confusing for others too.

@brockallen
Copy link
Member

This is covered in the OIDC session management spec -- read that for more info.

@iltera
Copy link
Author

iltera commented Feb 20, 2015

Thanks for your answer. I read the spec just now. Actually, reread the parts concerning post_logout_redirect_uri a few times. The spec also mentions about the "redirect" as you have on idsrv docs.

OIDC Spec says:

OPTIONAL.
URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout.

What is obvious to me that post_logout_redirect_uri is used to make an automatic redirect after logout. As I use the id_token_hint, I bypass the confirmation and display the app url (The first url registered in postLogoutRedirectUris in client configuration of idsrv) in the logged out screen. By also using post_logout_redirect_uri, in my understanding, I should get a redirect back to RP immediately, by bypassing the logged out screen. Meaning when both id_token_hint and post_logout_redirect_uri are used together, when I click the logout link in my application, after a few redirects I should get back to my app. (That is what the OIDC and IDSRV docs saying, again, in my understanding...)

I am confused, really. Especially after that answer of yours.

I really don't like to guess when it comes to app development. So I am asking, please bare with me and kindly explain. If there is no auto-redirect feature, then what is the use of post_logout_redirect_uri?

EDIT: By post_logout_redirect_uri, I mean the parameter which is used at the endsession endpoint (With id_token_hint).

@leastprivilege
Copy link
Member

Right - the standard view does not auto redirect. We only expose the post logout link to the view.

I pointed you to an article on how to do an auto redirect.

I will update the docs - would you prefer an automatic update?

@brockallen
Copy link
Member

Ok, so we discussed adding a flag to allow auto redirect back to the validated post logout uris. We'll add it in the next week or so.

@iltera
Copy link
Author

iltera commented Feb 20, 2015

That's great news :)
I will be looking forward to it (like other fellow developers who were looking forward to this).

Thank you very much!

@iltera iltera closed this as completed Feb 20, 2015
@mryandot
Copy link

OIDC Session Management section 5 refers to post_logout_redirect_uri as being used to redirect the User-Agent back to the RP. It also states that a Redirection URI is used in compliance with the OAuth 2.0 spec. The OAuth 2.0 spec has some details on validating redirect uris; more importantly section 1.7 states that redirection is performed in their examples using a 302 response code. It does say, however, that is left as an implementation detail.

I see from previous discussion in #699 that Identity Server won't implement using automatic redirects. The specs allow that to be an implementation detail, so that's reasonable as far as I'm concerned. I think the confusion stems at least partially from the phrase "by default".

Because this is an implementation detail, and not a restriction set by the spec, I think it might be fair to add some extra documentation explaining the decision. Because the alternative to having a link requires overriding the view service, which is non-trivial and not a configuration option, I think it would be fair to at least remove the phrase "by default". After all, if I override the view service, I can send them anywhere I want regardless of the spec.

As far as an actual code issue goes, the spec implies redirection is not the default behavior even if there are pre-registered urls. If the chosen implementation is to display a link, then that link should not be displayed unless it was requested through a post_logout_redirect_uri parameter on the request. That also avoids ambiguity when more than one uri is registered.

@mryandot
Copy link

Oh sure...I take time to reread some specs and write a comment, then you guys go and take care of it before I finish. ;) That said, I do think that even without that flag it should not show the link if it wasn't requested.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

4 participants