I use mod_auth_openidc to implement login on my website. I use multiple providers, so to initiate a login into one I redirect to:
/protected/redirect_uri/?target_link_uri=<urlencoded protected location>&iss=<urlencoded issuer>
which works as expected.
Now I want to initiate a logout in a similar manner, by refering the logout button to:
/protected/redirect_uri?logout=<urlencoded logoutpage>&iss=<urlencoded issuer>
but I simply get a 404. Of course /protected/redirect_uri does not actually exist but for some reson openidc does not handle the logout request.
The logout page is not protected and the provider has an end_session_endpoint in it's metadata.
Asked
Active
Viewed 1,992 times
0
Alex_siem
- 13
- 3
1 Answers
0
the slash at the end of the redirect URI matters, if it is not there the request will not be considered as matching
Hans Z.
- 50,496
- 12
- 102
- 115
-
Thank you, that was indeed the problem. – Alex_siem Jan 11 '21 at 11:24
-
Note that you can define `OIDCRedirectURI` without a trailing slash and in that case requests with a trailing slash will fail. – dreua Apr 25 '22 at 11:56