Replies: 1 comment
-
|
https://github.com/panva/node-oidc-provider/releases/tag/v9.4.2 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Problem
Current implementation correctly handles flexible port matching for
redirectUriAllowed()per RFC 8252 Section 7.3, but postLogoutRedirectUriAllowed() uses exact string matching. This creates inconsistent behavior where native apps using ephemeral ports can authenticate but cannot logout.RFC 8252 Context
Section 7.3 requires: "The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request."
While this specifically addresses redirect URIs, the same technical constraints apply to post-logout scenarios for native apps.
Proposed Solution
For
application_type: 'native'clients using loopback addresses (127.0.0.1,localhost,[::1]), postLogoutRedirectUriAllowed() should implement the same flexible port matching logic asredirectUriAllowed().Impact
This would align logout behavior with authentication behavior and follow the spirit of RFC 8252 for native app development.
Note: I am aware there are workarounds, but my argument is that oidc-provider doesn't follow RFC 8252 as it was intended.
Beta Was this translation helpful? Give feedback.
All reactions