Problem Statement
When logging out of an application, an ‘invalid_request’ error is thrown even though the URL value in the “returnTo” is already part of the Allowed Logout URLs in the application.
Symptoms
The error message takes this form:
invalid_request: The "returnTo" querystring parameter "[https://login.example.com"](https://login.example.com/)" is not defined as a valid URL in "Allowed Logout URLs".
Steps to Reproduce
Make a GET request to:
https://YOUR_DOMAIN/v2/logout?redirectTo={DESIRED_URL}
Troubleshooting
A HAR file of the logout flow will show the point at which this error is thrown.
Cause
The client ID was not explicitly given in the application code. As a result, the /logout endpoint could not determine from which application the user was attempting to logout from.
Solution
The issue can be fixed by including the client_id parameter in the string, as shown here:
https://YOUR_DOMAIN/v2/logout?returnTo=http%3A%2F%2Flocalhost%3A85&client_id=YOUR_CLIENT_ID
Related References