CAS ignores post_logout_redirect_uri when default login/logout URL is set

[Petr Bodnár]

Hello,

we have found several surprising issues/bugs in the CAS class DefaultLogoutRedirectionStrategy in relation to the CAS setting "cas.view.default-redirect-url", i.e. the default login/logout URL. These go probably back to CAS version 6.x.

One the issues is that due to the logic in this class, CAS ignores the post_logout_redirect_uri request parameter when a default login/logout URL is set in CAS properties.

For now, we have fixed this issue with OIDC (and possibly also with other logout flows - see all the usages of putLogoutRedirectUrl(final HttpServletRequest request, final String service)) by simply moving the class's code which reads and uses the variable authorizedRedirectUrlFromRequest to the very beginning of the method.

Anyone else facing similar issue? And while the fix seems 100% logical, maybe we have overlooked something?

Best regards

Petr