Replies: 1 comment 1 reply
-
|
it is enforced to protected against XSRF; you can make an exception with |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thank you! I forgot that in mod_auth_openidc, there's almost always a setting to do what you want to do. ;-) |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I have a gateway (reverse proxy) server fronting a number of applications all protected by mod_auth_openidc and Keycloak. When the user logs out from one of those application, they are redirected to /redirect_uri?logout=<logout_landing_page> so that when logout is complete, they end up on the logout_landing_page. It appears that the logout_landing_page URL must have the same host name as the request.
In my use-case, the logout_landing_page is the same regardless of which application the user logged out from. So I wanted to host that page on the gateway server, https://gateway-server/static/auth/logged_out.html. But because of the same host name restriction, it would have to be https://vhost/static/auth/logged_out.html. I could put a redirect in each of the vhosts to work around this, but I'd rather not.
I'm wondering why this same host name restriction is enforced for the logged out page URL.
Beta Was this translation helpful? Give feedback.
All reactions