post_logout_redirect_uris requirements on OpenID Connect Session Management 1.0 - draft 28
Pedro Felix
pmhsfelix at gmail.com
Mon May 4 15:10:35 UTC 2020
Hi,
- The `frontchannel_logout_uri`, defined on
https://openid.net/specs/openid-connect-frontchannel-1_0.html, requires the
"domain, port, and scheme of this URL MUST be the same as that of a
registered Redirection URI value". This is understandable, because this URI
is used to control the front-channel, i.e., the user's browser.
- However I could not found a similar requirement for the URIs in
`post_logout_redirect_uris` (defined in
https://openid.net/specs/openid-connect-session-1_0.html).
Question 1: The sentence "same as that of a registered Redirection URI
value" refers to exactly the registered `redirect_uris`?
Question 2: If so, shouldn't the URIs in `post_logout_redirect_uris` also
be subject to the same requirements?
Thanks,
Pedro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20200504/9ca060f5/attachment.html>
More information about the specs
mailing list