-
-
Notifications
You must be signed in to change notification settings - Fork 764
The use of "post_logout_redirect_uri" #956
Comments
This is covered in the OIDC session management spec -- read that for more info. |
Thanks for your answer. I read the spec just now. Actually, reread the parts concerning post_logout_redirect_uri a few times. The spec also mentions about the "redirect" as you have on idsrv docs. OIDC Spec says:
What is obvious to me that I am confused, really. Especially after that answer of yours. I really don't like to guess when it comes to app development. So I am asking, please bare with me and kindly explain. If there is no auto-redirect feature, then what is the use of EDIT: By |
Right - the standard view does not auto redirect. We only expose the post logout link to the view. I pointed you to an article on how to do an auto redirect. I will update the docs - would you prefer an automatic update? |
Ok, so we discussed adding a flag to allow auto redirect back to the validated post logout uris. We'll add it in the next week or so. |
That's great news :) Thank you very much! |
OIDC Session Management section 5 refers to I see from previous discussion in #699 that Identity Server won't implement using automatic redirects. The specs allow that to be an implementation detail, so that's reasonable as far as I'm concerned. I think the confusion stems at least partially from the phrase "by default". Because this is an implementation detail, and not a restriction set by the spec, I think it might be fair to add some extra documentation explaining the decision. Because the alternative to having a link requires overriding the view service, which is non-trivial and not a configuration option, I think it would be fair to at least remove the phrase "by default". After all, if I override the view service, I can send them anywhere I want regardless of the spec. As far as an actual code issue goes, the spec implies redirection is not the default behavior even if there are pre-registered urls. If the chosen implementation is to display a link, then that link should not be displayed unless it was requested through a |
Oh sure...I take time to reread some specs and write a comment, then you guys go and take care of it before I finish. ;) That said, I do think that even without that flag it should not show the link if it wasn't requested. |
I am opening this issue as a follow up of this issue and some discussion we made with some other developers on gitter.
By using a
id_token_hint
, we can bypass the logout confirmation and show a url (registered in "PostLogoutRedirectUris") on the logged out page.As I understand from the docs,
post_logout_redirect_uri
parameter should provide a redirect to the provided url. But as @brockallen said in the previous issue, I understand now that there is no redirection in Idsrv in the logout process.As
post_logout_redirect_uri
is not really used for redirection, what does it used for? The url for returning the application is provided byid_token_hint
. Then, what doespost_logout_redirect_uri
do exactly?P.S. I really think that docs should be updated to remove the word "redirect" in
post_logout_redirect_uri
explanation. It was confusing for me, as it might be confusing for others too.The text was updated successfully, but these errors were encountered: