Workaround for oidc/logout Does Not Allow Query String Parameters to post_logout_redirect_uri

Knowledge Articles
1

Overview

This article addresses a limitation encountered with the oidc/logout endpoint, specifically that dynamic query parameters are not directly supported in the post_logout_redirect_uri despite documentation suggesting otherwise. This occurs because the configured “Allowed Callback URLs” and “Post Logout Redirect URIs” require an exact match.

Applies To

  • OpenID Connect (OIDC)
  • Logout Flow

Cause

According to Add query string parameters to post_logout_redirect_uri, it appears that post_logout_redirect_uri should support query parameters. However, in practice, Auth0 enforces strict matching for post_logout_redirect_uri against the pre-configured “Allowed Callback URLs” and “Post Logout Redirect URIs” in the application settings. This means that if dynamic query parameters are added (e.g., https://example.com/logout?myParam=1234 ), the redirect will fail because https://example.com/logout?myParam=1234 does not exactly match https://example.com/logout?myParam.

Solution

To resolve this issue, use the state parameter to pass dynamic information during the logout flow. The state parameter is an exception to the exact match rule and is designed to carry opaque data.

  1. In the application settings, add the base URI without any query parameters to the list of allowed Post Logout Redirect URIs .https://<example.com>/logout
  2. When initiating the logout process, construct the request to the OIDC provider’s logout endpoint. This request must include the client_id , the post_logout_redirect_uri (the base URI from Step 1), and the state parameter with the desired dynamic value. For example:https://<oidc-provider.com>/oidc/logout?client_id=<client_id>&state=<dynamic_value>&post_logout_redirect_uri=https://<example.com>/logout
  3. The OIDC provider validates the base post_logout_redirect_uri against the allowed list. After a successful logout, the provider redirects the user to the configured URI and appends the state parameter from the original request. The final redirect URI will be:https://<example.com>/logout?state=<dynamic_value>

This allows the application to receive and process the dynamic value.