In section 2. RP-Initiated Logout, the first sentence states: “An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint.”
In the parameter explanation list, for the ‘post_logout_redirect_uri' parameter, there is a statement that the scheme SHOULD be ‘https’ but it is allowed to be ‘http' if the client is confidential. However, in the RP-Initiated Logout spec there is no mention of the ‘native’ clients and how they can/should initiate logout using this flow.
For example, in the ‘core' spec, there is a clear indication on how a custom scheme can be used for ‘redirect_uri' parameter by native clients. From core spec 22.214.171.124. Authentication Request: “The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.”
It seems to me that parameter ‘post_logout_redirect_uri' in RP-initiated logout requests can be used by native clients in a similar way as a parameter ‘redirect_uri’ in authentication requests from the core spec.
Is there any reason why custom scheme is not mentioned/allowed in ‘post_logout_redirect_uri'?
Thank you all for your great work on OIDC!