post_logout_redirect_uri not working

fred.fred · 21 Sept 2021, 17:59

We are setting this post_logout_redirect_uri on our log off:

https://auth.apps-d.XXX.com/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A12620%2F&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

Which is http://localhost:12620/

However, FusionAuth is just redirecting to its own root url: https://auth.apps-d.XXX.com/ instead of the post_logout_redirect_uri

Referring to this post: https://fusionauth.io/community/forum/topic/35/is-there-a-way-to-have-a-user-who-logs-out-of-an-application-go-back-to-wherever-they-started-from-at-login

It says the logout redirect url must be an authorized redirect url, which it is:

However, FusionAuth is not redirecting as you can see from this debug session and is just going to root url instead of post_logout_redirect_uri

How do we get FusionAuth to redirect to the passed post_logout_redirect_uri ??

Thanks.

fred.fred · 21 Sept 2021, 18:08

@fred-fred said in post_logout_redirect_uri not working:

http://localhost:12620/

Note, we have also tried setting this localhost address as the Logout URL and we got the same redirect to the root of FusionAuth:

alexander.schamne · 22 Sept 2021, 10:24

Same behaviour here as well, just frustrating. It works when I pass the client_id, but it says it is an optional Parameter. I use the oidc-client javascript library and I can pass the client_id by setting the extraQuery parameter, but then it fail during login, because FusionAUth cannot handle a queryParameter, which is send twice. Frustrating!

fred.fred · 24 Sept 2021, 20:15

@alexander-schamne thanks.

I tried your solution of adding the client id and the tenant id to the post_logout_redirect_uri and the redirection still did not work

This is how my post_logout_redirect_uri looks now:

https://auth.apps-d.XXX.com/oauth2/logout?
post_logout_redirect_uri=http://localhost:12620
&client_id=61c45c9a-XXX //My application's client id
&tenantId=e1809405-YYY //My FA tenant id
&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

It still redirects to the root - https://auth.apps-d.XXX.com/

To anyone on the FusionAuth team, how do we debug or fix this issue?

The FA debug log for the application only shows the login and not the log out.

BTW, I forgot to add in my post, this is how I am logging out the user:

This code block kills off the cookies and session for the FA login.

Note: If I add an explicit redirect to this code, such as:

I still redirect to the root of my FA instance.

fred.fred · 24 Sept 2021, 21:12

FusionAuth team, I think I see the issue.

On log out, my log out url string is this:

https://auth.apps-d.XXX.com/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A12620%26client_id%3D61c45c9a-XXX%26tenantId%3De1809405-YYY&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

If it runs like this, it just redirects to root:

Now if I url decode it to:

https://auth.apps-d.XXX.com/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A12620**&client_id=**61c45c9a-XXX%26tenantId%3De1809405-YYY&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0

Where the ampersand, client id, and equal sign are now &client_id=, the log off and redirection works fine.

I think I can play with encoding, but is there a setting in FA for it to be able to parse an encoded &client_id= ?

alexander.schamne · 27 Sept 2021, 09:00

@fred-fred
Does it also work if you don't pass the client_id to the logout process? I cannot pass the client_id because I use a oidc-client to logout and the client_id, which FusionAuth expects (beside the fact, that the documentaion says its "optional"), is not by oid standard. So the library doesn't support it.

maciej.wisniowski · 27 Sept 2021, 09:06

@alexander-schamne with oidc-client you have UserManager object that gets client_id as a parameter. Not sure why you're passing it as an extra parameter? I have an app using oidc-client with FA and it works properly for me.

@fred-fred I don't think there is any setting that would parse encoded client_id from the query string. For me, it would not make much sense to have something like that. The issue is that the parameters are passed incorrectly so you need to fix the code that constructs such URL and it will work.

alexander.schamne · 27 Sept 2021, 11:38

@maciej-wisniowski
Ok let me explain it to you again, maybe it was not clear enough.

YES the client_id is passed as a parameter to the UserManager of client as well as the post_logout_redirect_url. I do not pass any handmade parameters.

see:

The oidc-client uses the client_id to get the token, and it works!
The oidc-client uses the post_logout_redirect_url for logout, BUT the fusionauth ignores it and readirects me to the auth root. The client_id is not sent here by the oidc-client, as by OID default standard.

SO I tried manually to send the so called in the FusionAuth Documentaion "optinal" parameter: client_id for the logout AND taaaadaaaa it works - the FusionAuth redirects to the passed post_logout_redirect_uri Looks that FusionAuth expects beside the post_logout_redirect_uri also the client_id for logout BUT i cannot set the client_id in the oidc-client library for the logout process, because it is not by standard.

Now clear?!

fred.fred · 27 Sept 2021, 15:48

@alexander-schamne - if you don't pass the client_id it doesn't do anything but redirect to root

fred.fred · 27 Sept 2021, 21:07

Ok this is how I fixed the post_logout_redirect_uri issue.

In my logoff method, I did this to remove the local cookies

Then because I could not use the Owin..OIDC..PostLogoutRedirectUri in the OpenIdConnectAuthenticationOptions to pass the client_id

At the end of the logoff method, I just did this:

This removed the FusionAuth session, does the log out, and redirects to my home page

Thanks to all who tried to help out