CODEWITHSUNDEEP
angularopenid-connectangular-auth-oidc-client
Paul
Paul

Reputation: 1264

Set a different value for 'post_logout_redirect_uri' dynamically when using angular-auth-oidc-client

In an Angular application using angular-auth-oidc-client, when a certain route is loaded and the user logs off, I want to send a different 'post_logout_redirect_uri' value to the OIDC server.

I set the postLogoutRedirectUri in the OIDC config:

export const OidcConfig: OpenIdConfiguration = {
    
    postLogoutRedirectUri: window.location.origin + '/index',
    
    // other configuration parameters ...
};

If I set it as a custom param as below:

async signOut() {
    const authOptions: LogoutAuthOptions = {
      customParams: {
        'post_logout_redirect_uri': location.href
      }
    };
    await firstValueFrom(this.oidcSecurityService.logoff(undefined, authOptions));
}

then the logoff() in OidcSecurityService will first add the URI from the config, then the one I set, which will trigger an exception on the server.

How can set a different value for 'post_logout_redirect_uri'?

Upvotes: 1

Views: 625

Answers (1)

stratfanstl
stratfanstl

Reputation: 1

The OAuth server has to be preconfigured with "postLogoutRedirectURI" entries and any such URI specified by the client app when triggering the logout / token revocation on the OAuth server must appear on the list of previously defined postLogout URIs configured at the server end. Most servers can be configured with a list of alternate postLogoutRedirectUri parameters but whatever URI the client sends in a logout must appear in that list.

From your question, it appears you've figured out how to override the initial (single) postLogoutRedirectUri parameter of the angular-auth-oidc-client configuration. However, the server is still rejecting the logout request. It's possible the rejection is occuring because:

a) the alternate postLogoutRedirectUri string you sent hasn't been configured on the server so it is blocking the client request as a security concern

OR

b) the angular-auth-oidc-client library is actually sending TWO values for postLogoutRedirectURI (the main one from the config and the dynamically added one), the server sees BOTH and does a security match test on both and treats that as a failure

If (a), you should be able to fix the problem by simply adding the additional URI in the server's configuration for your client application.

If (b), fixing that would require a modification to the library to only send the LAST value for postLogoutRedirectUri seen rather than appending them. That would require an enhancement in the library.

Upvotes: 0

Related Questions