You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Validate post_logout_redirect_uri against wildcards
Description
FusionAuth 1.43.0 introduced the ability to provide wildcards for authorized redirect and origin URLs in the OAuth configuration.
The post_logout_redirect_uri is validated against authorized redirect URLs, but it requires an exact match to a configured value instead of validating against wildcards even when URL Validation is set to AllowWildcards.
Affects versions
1.43.0+
Steps to reproduce
Steps to reproduce the behavior:
Application OAuth Configuration
Set URL Validation to "Allow wildcards"
Add an authorized redirect URL containing a wildcard (e.g. https://example.com/*)
Add a logout URL that matches the pattern (e.g. https://example.com/logout)
Complete an OAuth logout workflow
Browser is redirected to https://example.com/logout
An error is displayed for invalid_post_logout_redirect_uri
Expected behavior
post_logout_redirect_uri should be validated according to wildcard rules when URL validation is set to "Allow wildcards".
Validate
post_logout_redirect_uri
against wildcardsDescription
FusionAuth 1.43.0 introduced the ability to provide wildcards for authorized redirect and origin URLs in the OAuth configuration.
The
post_logout_redirect_uri
is validated against authorized redirect URLs, but it requires an exact match to a configured value instead of validating against wildcards even when URL Validation is set toAllowWildcards
.Affects versions
1.43.0+
Steps to reproduce
Steps to reproduce the behavior:
https://example.com/*
)https://example.com/logout
)https://example.com/logout
invalid_post_logout_redirect_uri
Expected behavior
post_logout_redirect_uri
should be validated according to wildcard rules when URL validation is set to "Allow wildcards".Screenshots
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Related
Additional context
The text was updated successfully, but these errors were encountered: