[Openid-specs-ab] post_logout_redirect_uri

Roland Hedberg roland at catalogix.se
Wed Nov 14 15:14:27 UTC 2018


post_logout_redirect_uri are defined in https://openid.net/specs/openid-connect-session-1_0.html
and refreed to in https://openid.net/specs/openid-connect-frontchannel-1_0.html.

In neither of these documents are there any specification of what a post_logout_redirect_uri
is allowed to look like.

backchannel_logout_uri in https://openid.net/specs/openid-connect-backchannel-1_0.html is defined as:

”The back-channel logout URI MUST be an absolute URI as defined by Section 4.3 of [RFC3986]. 
The back-channel logout URI MAY include an application/x-www-form-urlencoded formatted query component, 
per Section 3.4 of [RFC3986], which MUST be retained when adding additional query parameters. 
The back-channel logout URI MUST NOT include a fragment component.”

The same goes for frontchannel_logout_uri in https://openid.net/specs/openid-connect-frontchannel-1_0.html

I would expect the same rule to apply to post_logout_redirect_uri.

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain

More information about the Openid-specs-ab mailing list