I’m trying to implement logout with the returnTo parameter, but the behavior around the validation of the returnTo parameter doesn’t seem to match the documentation: https://auth0.com/docs/logout/guides/redirect-users-after-logout
I’m specifying a returnTo parameter, without a client_id, so I would expect the validation to occur based upon the tenant settings. The returnTo parameter I’m providing is something like “https://subdomain.website.com?loggedOut=true”, and the allowed logout url at the tenant level is “https://*.website.com”. When I actually try to log out, I get an error saying the logout url isn’t listed for the application settings. That doesn’t match the documentation, which states it validates against the tenant settings.
After I updated the application settings to match the tenant settings (allowed logout url is “https://*.website.com”), it still gives me the same error. The only way I’m able to get past this error is to actually specify the exact URL at the application and tenant level, i.e. “https://subdomain.website.com?loggedOut=true”. This is contrary to the documentation which says wildcard is allowed, and query parameters and fragement are ignored, and that it only validates at the tenant setting if the client_id is not provided.
Can someone please clarify/confirm the exact behavior of the allowed logout urls, or if there’s something in my configuration I’m missing?