/logout endpoint redirection only accepts a single query parameter

[byrongibby]

Problem description

OAuth provider AWS Cognito requires a number of query parameters (at least two: a client id and a redirect URI, but possibly more) when hitting the /logout endpoint

It seems that Vouch only allows the first query parameter to pass through, I get a 400 Bad Request with a log output to effect of:

/logout The requested url is not present in `vouch.post_logout_redirect_uris`: https://my-domain.amazoncognito.com/logout?redirect_uri=https://vouch.mysite.co.za/auth

When the URL specified in vouch.post_logout_redirect_uris is

vouch:
  post_logout_redirect_uris:
    - https://my-domain.amazoncognito.com/logout?redirect_uri=https://vouch.mysite.co.za/auth&client_id=xxxxxxxxxxxxxxx

and the full request was

/logout?url=https://my-domain.amazoncognito.com/logout?redirect_uri=https://vouch.mysite.co.za/auth&client_id=xxxxxxxxxxxxxxx

The effect of which is that I cannot use the Vouch /logout endpoint to sign out in this way.

Caveat

There is a different approach for anyone using AWS Cognito which is to logout of the IdP first and then redirect back to the Vouch logout endpoint, so essentially reversing the flow

https://my-domain.amazoncognito.com/logout?logout_uri=https://vouch.mysite.co.za/logout?url=https://www.mysite.co.za&client_id=xxxxxxxxxxxxxxx

As a result, I don't need this issue to be resolved, but it may be worth changing Vouch's behaviour if this behaviour was not intended. Otherwise this issue can hopefully still be helpful to anyone else trying to use Vouch with AWS Cognito.

Expected behavior

I expect that the requested URL, i.e. the NEXT_URL in /logout?url=NEXT_URL, will be passed through with all the query parameters listed in vouch.post_logout_redirect_uris

Desktop (please complete the following information):

• OS: Linux
• Browser Firefox
• Version 127.0.2 (64-bit)