post_logout_redirect_uri not working in end-session endpoint #604

Open
opened 2026-02-04 20:38:27 +03:00 by OVERLORD · 0 comments
Owner

Originally created by @ai480 on GitHub (Jan 12, 2026).

Description

The post_logout_redirect_uri parameter in the OIDC end-session endpoint doesn't redirect the user back to the specified URI after logout.

Steps to Reproduce

  1. Configure an OIDC client (e.g., Filestash) with PocketID
  2. Set the logout URL to: https://auth.example.com/api/oidc/end-session?post_logout_redirect_uri=https://app.example.com
  3. User logs into the app via PocketID
  4. User clicks logout in the app
  5. User is redirected to PocketID logout confirmation page
  6. User confirms logout

Expected Behavior

After confirming logout, the user should be redirected to https://app.example.com (the post_logout_redirect_uri).

Actual Behavior

After confirming logout, the user is redirected to https://auth.example.com/login?redirect=%2F instead of the specified redirect URI.

Additional Context

  • The end_session_endpoint is correctly advertised in /.well-known/openid-configuration
  • Tried both URL-encoded and non-encoded redirect URIs
  • This breaks the SSO logout flow for applications that rely on returning users to the app after logout

Environment

  • PocketID version: Latest (Docker)
  • Browser: Chrome/Firefox on Linux

Suggested Solution

The end-session endpoint should:

  1. Accept and validate post_logout_redirect_uri parameter
  2. Optionally require the URI to be pre-registered in the OIDC client settings for security
  3. Redirect to this URI after successful logout confirmation
Originally created by @ai480 on GitHub (Jan 12, 2026). ## Description The `post_logout_redirect_uri` parameter in the OIDC end-session endpoint doesn't redirect the user back to the specified URI after logout. ## Steps to Reproduce 1. Configure an OIDC client (e.g., Filestash) with PocketID 2. Set the logout URL to: `https://auth.example.com/api/oidc/end-session?post_logout_redirect_uri=https://app.example.com` 3. User logs into the app via PocketID 4. User clicks logout in the app 5. User is redirected to PocketID logout confirmation page 6. User confirms logout ## Expected Behavior After confirming logout, the user should be redirected to `https://app.example.com` (the `post_logout_redirect_uri`). ## Actual Behavior After confirming logout, the user is redirected to `https://auth.example.com/login?redirect=%2F` instead of the specified redirect URI. ## Additional Context - The `end_session_endpoint` is correctly advertised in `/.well-known/openid-configuration` - Tried both URL-encoded and non-encoded redirect URIs - This breaks the SSO logout flow for applications that rely on returning users to the app after logout ## Environment - PocketID version: Latest (Docker) - Browser: Chrome/Firefox on Linux ## Suggested Solution The end-session endpoint should: 1. Accept and validate `post_logout_redirect_uri` parameter 2. Optionally require the URI to be pre-registered in the OIDC client settings for security 3. Redirect to this URI after successful logout confirmation
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#604