Validate post_logout_redirect_uri against wildcards

[spwitt]

Validate post_logout_redirect_uri against wildcards

Description

FusionAuth 1.43.0 introduced the ability to provide wildcards for authorized redirect and origin URLs in the OAuth configuration.

The post_logout_redirect_uri is validated against authorized redirect URLs, but it requires an exact match to a configured value instead of validating against wildcards even when URL Validation is set to AllowWildcards.

Affects versions

1.43.0+

Steps to reproduce

Steps to reproduce the behavior:

1. Application OAuth Configuration
2. Set URL Validation to "Allow wildcards"
3. Add an authorized redirect URL containing a wildcard (e.g. https://example.com/*)
4. Add a logout URL that matches the pattern (e.g. https://example.com/logout)
5. Complete an OAuth logout workflow
6. Browser is redirected to https://example.com/logout
7. An error is displayed for invalid_post_logout_redirect_uri

Expected behavior

post_logout_redirect_uri should be validated according to wildcard rules when URL validation is set to "Allow wildcards".

Screenshots

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Related

• post_logout_redirect_uri does not work with wildcard specified url #2164

Additional context

• https://fusionauth.zendesk.com/agent/tickets/73256

[robotdan]

Closing as duplicate. Will fix under #2164.