I see there’s a checkbox (Allow wildcard * in login URI redirect) for enabling wildcards in redirect_uris, but I don’t see one that applies to logout urls.
I’m running into an issue where I have about 4000 logout urls and I’m running against okta limits. Any help would be really appreciated 
No, at this time Okta only support wildcards for Sign-in redirect URIs, but not post logout redirect URIs.
Would you be able to redirect your users to a single post_logout_redirect_uri (configured as allowed within Okta) and then redirect them out from there to the desired target URL?
Hey Andrea, thank you for your response.
We could make this work if there was a way for us to pass in the final logout url as a parameter in post_logout_redirect_uri. Do you know if that’s possible? So far, it seems like the logout url is an exact match so I can’t really do something like “post_logout_redirect_uri=http://localhost:3000/auth/oauth2/logout_redirect?returnTo=http://localhost:4000/”
Hm, I don’t think thats going to work as, like you said, the full post_logout_redirect_uri would need to be allowlisted within Okta.
What about storing that final url within a cookie/local storage? This is similar to how our AuthJS SDK facilitates redirecting to a target url from the callback/redirect_uri.
So, “undocumented feature” I just discovered.
Logging out with https://{okta-domain}/login/signout?fromURI={logout_url} seems to relax the exact match requirement for logout url; meaning I can pass in the final redirect url as a parameter to logout_url. I just had to make sure and add the logout url to the trusted origins with redirect.
Logging out with https://{okta-domain}/oauth2/default/v1/logout?id_token_hint={token}&post_logout_redirect_uri={logout_url} seems to use strict match against the logout url.
Does this make sense?
That /login/signout endpoint is generic and as you saw, the fromURI provided just needs to have its domain in Trusted Origins.
I should note that this endpoint is not, as you say, not documented, so its behavior could change at any time without notice. We always recommend that OpenID Connect applications use the /logout endpoint instead as per spec.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.