The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
The configuration validator takes all of the Redirect URIs and validates them, and then it goes through all of the Post Logout Redirect URIs. One check it does is that it requires all of the post-logout redirect URIs to have the same domain/port/protocol as at least one Redirect URI. Why?
I can't find any references in the specification that states that the post-logout URI must be hosted on the same thing as the callback. Other vendors do not have this restriction.
Preflight checklist
Ory Network Project
No response
Describe the bug
The configuration validator takes all of the Redirect URIs and validates them, and then it goes through all of the Post Logout Redirect URIs. One check it does is that it requires all of the post-logout redirect URIs to have the same domain/port/protocol as at least one Redirect URI. Why?
I can't find any references in the specification that states that the post-logout URI must be hosted on the same thing as the callback. Other vendors do not have this restriction.
This code https://github.com/ory/hydra/blame/eeaf6f01bcddc85569604702c0e9c2f3857d1902/client/validator.go#L163-L183 hasn't really changed since the initial commit 5 years ago, but this seems out-of-spec to me.
Reproducing the bug
Pass in a configuration where a single post-logout-redirect-url does not share domain/port/scheme with the configured callback URL(s)
Relevant log output
No response
Relevant configuration
No response
Version
2.2.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response