Custom scheme for 'post_logout_redirect_uri' parameter in RP-initiated Logout

Comments (9)

1. 

   Kristina Yasuda

   Could it be a universal link instead of a custom schema to for the native apps?

   • 2021-09-21T00:01:15+00:00
2. 

   David Waite

   Could you clarify your use case/architecture here? Is this a case where the RP is a native app using a web-based OP interface (similar to the setup in RFC 8252), is attempting RP-initiated logout, and needs to terminate in a custom URL scheme (rather than say terminating via applink/universal link?)

   • 2021-09-21T00:03:55+00:00
3. 

   Marko Ivančić reporter

   Thank you for your comments…

   Kristina Yasuda, actually, yes, it could be an “ordinary HTTP(S)” URI, but it requires additional steps for implementer like hosting a website domain, verifying ownership and registering it (example with Android: https://developer.android.com/training/app-links#app-links-vs-deep-links). In that scenario the content of the URI is available in the app or on regular website (for users who don’t have an app). However, I’m not sure if this is feasible for everyone, nor if it is available on every OS… In RFC 8252 this is referred to as "claimed "https" scheme URI": https://datatracker.ietf.org/doc/html/rfc8252#section-7.2

   David Waite, yes, exactly, I’m referring to "private-use URI scheme" in RFC 8252: “…a URI scheme defined by the app (following the requirements of Section 3.8 of
   [RFC7595]) and registered with the operating system. URI requests to such schemes launch the app that registered it to handle the request.”, more here https://datatracker.ietf.org/doc/html/rfc8252#section-7.1

   Also, the RFC 8252 states that “… if the authorization server supports native apps, it must support private-use URI schemes…”: https://datatracker.ietf.org/doc/html/rfc8252#appendix-A (it also mentiones loopback adresses for desktop OS-es…).

   So, again, back to the RP-Initiated Logout spec - since it states that the User-Agent (browser) is to be used for logout requests… It seems to me that in order to accommodate / better support native clients, that is, to enable browsers to invoke a native client after logout using a post_logout_redirect_uri, a custom scheme should be allowed… It also seems viable since the OIDC core spec mentions that a custom scheme intended for native clients may be used for redirect_uri in authentication requests…

   • 2021-09-21T08:53:05+00:00
4. 

   Michael Jones

   • assigned issue to
     
     Michael Jones

   It would seem reasonable to use the same language about the post_logout_redirect_uri that we do for the redirect_uri: “The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.”

   Would that solution work for people?

   • 2022-04-11T20:56:53+00:00
5. 

   Marko Ivančić reporter

   Yes, that would mean that a “private-use” scheme defined by the native app and registered with the operating system can be used. So, in this scenario a request to post_logout_redirect_uri with such scheme can launch an app registered to handle such requests.

   • 2022-04-12T07:46:29+00:00
6. 

   Michael Jones

   This will be fixed by https://bitbucket.org/openid/connect/pull-requests/154/allow-post_logout_redirect_uri-to-use-an .

   • 2022-04-13T21:02:47+00:00
7. 

   Michael Jones

   • changed status to open

   • 2022-04-13T22:35:29+00:00
8. 

   Michael Jones

   • changed status to resolved

   Fixed by https://bitbucket.org/openid/connect/pull-requests/154/allow-post_logout_redirect_uri-to-use-an .

   • 2022-04-19T00:31:44+00:00
9. 

   Michael Jones

   Issue #1490 was marked as a duplicate of this issue.

   • 2022-05-02T17:51:27+00:00
10. Log in to comment