Menu
Since there is no clientId in the logout request, it's not possible to validate the URL against the client's list of Valid Redirect URIs, thus allowing redirection to an arbitrary URL: https://idserver/auth/realms/realm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fattackers.website
Is there a workaround for this issue or does it have to be a code fix? Thank you.
509
asked Sep 02 '25 02:09
You can (and should) register "Valid Redirect URIs" for each client in the realm. If you don't and specify i.e. "*" to allow any URL, exactly the thing you describe will happen.
Try it the logout with the realm "master" (with the initial configuration): You'll get the error message "Invalid redirect uri".
54
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
