search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.02k forks source link

Url with parameters as post_logout_redirect_uri not working? #5442

Closed xecollons closed 2 years ago

xecollons commented 2 years ago

Hello,

I'm trying to log out a site using endsession endpoint with a post_logout_redirect_uri with params in the query. An example of this is this call:

http://myserver.com/connect/endsession?id_token_hint=xxx&post_logout_redirect_uri=https%3A%2F%2Fwww.myotherweb.com%2Fwithid%3FuserId%3D123

where I have a userId in my redirect uri.

This is throwing me an "Invalid PostLogoutRedirectUri". Without the params, it's working. What I would have in my PostLogoutUris list for this example is https://www.myotherweb.com/withid , without the params, of course. If we go to the OIDC specs, it says

post_logout_redirect_uri OPTIONAL. URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. This URL SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the use of http RP URIs. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. An id_token_hint is also REQUIRED when this parameter is included.

So I understand that query params are allowed. Looking at the IS4 source, I have arrived to the EndSessionRequestValidator and, after that, to StringCollectionContainsString, where, if I'm seeing it correctly (I may not), it's just comparing the uri as string, without removing it's params that it could have, with our registered PostLogoutUris list. Is that ok? Am I missing something? Shouldn't it just compare the non query parameters part?

Thanks.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

github-actions[bot] commented 2 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.