Overview
It is desired to redirect a user after the logout to their corresponding company’s landing page. However, Allowed Logout URLs have a limit of 100 and this may not allow all the needed URLs.
Cause
There are some limitations with respect to Allowed Logout URLs for a given application:
- Wildcards are not allowed on the path.
- The list of URLs is limited to 100.
Solution
There are two potential workarounds here:
- Use a wildcard subdomain - If the customers have their own subdomains in the app, a wildcard can be used so the return URL could be from any of these domains without having to be allowed individually.
- Add a query parameter to determine the next location - A single, central location can be allowed as the logout URL, and when the user logs out, a query parameter can be added to this URL when being sent as the returnTo parameter. Auth0 does not validate query parameters when using the /v2/logout endpoint. When the user lands on this URL, the app can check the query parameter and issue a redirect based on that. Remember to validate the param being passed in order to avoid open redirect attacks. NOTE: Auth0 validates the query parameters when using the OIDC logout endpoint (/oidc/logout), so this workaround is feasible only if the /v2/logout endpoint is used.