Error: "invalid_request: The "post_logout_redirect_uri" Querystring Parameter "XXX" is not Defined as a Valid URL in "Allowed Logout URLs"

travis.evers · June 3, 2024, 2:25pm

Overview

When logging out of the application, the following error appears:

"invalid_request: The "post_logout_redirect_uri" querystring parameter "[https://<DOMAIN>/v2/logout?client_id=ABC&returnTo=https://www.someurl.com"](https://%3Cdomain%3E/v2/logout?client_id=ABC&returnTo=https://www.someurl.com)" is not defined as a valid URL in "Allowed Logout URLs". To add a new URL, please do it here: [https://manage.auth0.com/#/applications/<client_id>/settings"](https://manage.auth0.com/#/applications/%3Cclient_id%3E/settings)"

The URL https://www.someurl.com is already added to the list of the Allowed logout URLs in the application settings tab.

The same configuration is applied in a different tenant and it is working with no issues.

Cause

While using the oidc/logout endpoint it requires that the post_logout_redirect_uri must match EXACTLY one of the url in the “Allowed Logout url” in your application, when using the /v2/logout endpoint this requirement is not needed. With this last endpoint the query parameters in the redirect url are not taken into account.

It is possible that the value of the URL in production does not match EXACTLY any of the allowed logout urls in the client application settings due to the query parameters and the use of the /oidc/logout endpoint.

This can be seen in the following documentaiton: Add parameters to post-logout redirect URL

Solution

The code below is an example of the issue:

async logout(req, res) {
  try {
    const logoutUrl = [
      `${process.env.AUTH0_ISSUER_BASE_URL}/v2/logout?`,
      `client_id=${process.env.AUTH0_CLIENT_ID}`,
      `&returnTo=${process.env.AUTH0_BASE_URL}`,
    ];
  await handleLogout(req, res, {
    returnTo: logoutUrl.join(''),
  });
  } catch (err) {
    res.status(err.status ?? 500).end(err.message);
  }
  },
// other auth handlers
});

This was causing the returnTo parameter to have query parameters that could have been removed by changing the code, for example, to:

async logout(req, res) {
  try {
    await handleLogout(req, res, {
      returnTo: ${process.env.AUTH0_BASE_URL},  //This URL could have also been harcoded.
    });
  } catch (err) {
    res.status(err.status ?? 500).end(err.message);
  }
  },
// other auth handlers
});