[Openid-specs-ab] Issue #1338: Custom scheme for 'post_logout_redirect_uri' parameter in RP-initiated Logout (openid/connect)

cicnavi issues-reply at bitbucket.org
Mon Sep 13 09:20:45 UTC 2021

New issue 1338: Custom scheme for 'post_logout_redirect_uri' parameter in RP-initiated Logout

Marko Ivančić:

In section 2. RP-Initiated Logout, the first sentence states: “An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint.”

In the parameter explanation list, for the ‘post\_logout\_redirect\_uri' parameter, there is a statement that the scheme SHOULD be ‘https’ but it is allowed to be ‘http' if the client is confidential. However, in the RP-Initiated Logout spec there is no mention of the ‘native’ clients and how they can/should initiate logout using this flow.

For example, in the ‘core' spec, there is a clear indication on how a custom scheme can be used for ‘redirect\_uri' parameter by native clients. From core spec  Authentication Request: “_The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application._”

It seems to me that parameter ‘post\_logout\_redirect\_uri' in RP-initiated logout requests can be used by native clients in a similar way as a parameter ‘redirect\_uri’ in authentication requests from the core spec. 

Is there any reason why custom scheme is not mentioned/allowed in ‘post\_logout\_redirect\_uri'?

Thank you all for your great work on OIDC!

More information about the Openid-specs-ab mailing list