OIDC post-logout redirects to custom URL schemes
25 views
Skip to first unread message
Jed Liu
Feb 3, 2026, 3:32:19 PM (4 days ago) Feb 3
to CAS Community
We're encountering an issue with OIDC post-logout redirects (i.e., the post_logout_redirect_uri query parameter to the oidcLogout endpoint). When the redirect is to a custom URL scheme, it's interpreted as a CAS-relative path. For example, a redirect intended for
custom://post_logout_redirect_uri
would instead go to
In our CAS deployment, we've implemented a workaround, where we've overridden OidcLogoutEndpointController.executeLogoutRedirect to send the redirect via CAS's OAuth2 callbackAuthorize endpoint. We'd like to contribute a proper fix back to CAS, but we're not sure what the preferred approach is. Any advice would be appreciated. Thanks!
Jed Liu
Software Engineer, eBird
Cornell Lab of Ornithology
Ray Bon
Feb 3, 2026, 5:52:04 PM (4 days ago) Feb 3
to cas-...@apereo.org
Jed,
You will need tests to go with your change (or update existing test). See
https://github.com/apereo/cas/tree/master/ci for functional tests.
Also check this blog, https://fawnoos.com/blog/
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Jed Liu <ml...@cornell.edu>
Sent: February 3, 2026 11:39
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] OIDC post-logout redirects to custom URL schemes
Sent: February 3, 2026 11:39
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] OIDC post-logout redirects to custom URL schemes
|
You don't often get email from ml...@cornell.edu.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/99700869-38b3-48ae-966c-5cb4359490a9n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/99700869-38b3-48ae-966c-5cb4359490a9n%40apereo.org.
Jed Liu
Feb 4, 2026, 2:53:16 PM (3 days ago) Feb 4
to CAS Community
Thanks, Ray, for the quick response!
I was more looking to see if anyone had advice on a better solution to the issue. I'm not sure whether my approach is a misuse of the callbackAuthorize endpoint.
Writing a comprehensive functional test for this seems challenging, due to Puppeteer's limitations around custom URL schemes. Instead, I've written a negative test to check that the custom URL scheme isn't treated as a relative path.
In any case, I've opened a couple of PRs with this work: #8402 for the master branch, and #8403 for the 7.3.x branch. Happy to discuss these changes either here or on those PRs!
Thanks,
Jed Liu
Software Engineer, eBird
Cornell Lab of Ornithology
Reply all
Reply to author
Forward
0 new messages