The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism.
Looking at the current end_session_endpoint implementation, it does not provide a way to validate the post_logout_redirect_uri as the spec requires.
For context, the way I'm handling the end_session_endpoint at the moment is as follows:
On the OP I have this gem configured with:
end_session_endpoint do
Rails.application.routes.url_for({host: ENV["HOST_URL"]}, :destroy_user_session)
end
and I have my devise after_sign_out_path set to
def after_sign_out_path_for(resource)
if params[:post_logout_redirect_uri].present?
params[:post_logout_redirect_uri]
else
super
end
end
I was reading through the OpenID Connect RP-Initiated Logout Spec and I noticed that regarding the
post_logout_redirect_uriit mentions:Looking at the current
end_session_endpointimplementation, it does not provide a way to validate thepost_logout_redirect_urias the spec requires.For context, the way I'm handling the
end_session_endpointat the moment is as follows:and I have my devise
after_sign_out_pathset to/auth/sso/logoutwhich uses theend_session_endpointand is working properly.