oxauth post logout URI

By: Ian Vogel user 13 Jun 2019 at 8:45 a.m. CDT

6 Responses
Ian Vogel gravatar
Hello, This is hopefully a simple question -- whenever I log out from oxauth, I get this page: {"error":"post_logout_uri_not_associated_with_client","error_description":"The provided post logout uri is not associated with client.","reason":"Session was removed successfully but redirect to post_logout_redirect_uri fails since AS failed to validate it against clients associated with session (which was just removed)."} This is after logging out from a session with an internal opendj user or a passport social user. Where can I change this post logout URI and what should it be? Thanks
CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 18 Jun 2019 at 2:06 a.m. CDT

Copy
Michael Schwartz gravatar
Logout URI's are associated with the client. Make sure the logout URI you are sending the user to is allowed for that client.

By Ian Vogel user 18 Jun 2019 at 3:21 a.m. CDT

Copy
Ian Vogel gravatar
Sorry, I might have confused the question by saying oxauth - I meant oxTrust. There's no other client in question here - this is oxTrust I'm referring to. I don't get this page for any SAML apps. I get this when logging out of oxtrust, with or without passport enabled. Where would the logout URL be configured for oxTrust and what is the default value? I don't remember changing anything but maybe I did...

By William Lowe user 18 Jun 2019 at 2:16 p.m. CDT

Copy
William Lowe gravatar
> Where would the logout URL be configured for oxTrust In the `oxTrust Admin GUI` client.

By Ian Vogel user 19 Jun 2019 at 11:44 a.m. CDT

Copy
Ian Vogel gravatar
Here's what I have: JSON Configuration -> oxTrust Configuration -> logoutRedirectUrl: https://____.com/identity/authentication/finishlogout Those are the default values as far as I know. Yet, when I log out of oxTrust, I get the error message in my original post. This is not using OpenID, OAuth, SAML, or any other apps - this is just login/logout of the oxTrust management page with the admin account. It's certainly possible that I've changed something, but I've exhausted searching in logs and I'm stumped.

By William Lowe user 19 Jun 2019 at 12:35 p.m. CDT

Copy
William Lowe gravatar
hmm no, oxtrust is using openid connect to leverage oxauth for login. Thats why when you login to oxTrust, you login through oxAuth. oxTrust is just a web app. The redirect URI should be set in the oxTrust client, as mentioned above. In oxTrust, go to OpenId Connect > Clients and find the client I mentioned above. Thats where you edit , not in the oxtrust config tab you're mentioning above. Although I can see how it's a little confusing.

By Ian Vogel user 19 Jun 2019 at 2:05 p.m. CDT

Copy
Ian Vogel gravatar
Oh right! Now all is clear. I didn't quite understand that about Gluu - I just skipped that section since I'm not using any outbound OpenID connections (or so I thought). Somehow one of my SAML logout URIs got added here, which is mysterious. I probably did it in CLI. Thanks very much for explaining that.

Post an answer