IDP logout customizations

Cantor, Scott cantor.2 at
Thu Apr 4 20:43:28 EDT 2019

On 4/4/19, 5:16 PM, "users on behalf of Liam Hoekenga" <users-bounces at on behalf of liamr at> wrote:

> if service provided a redirect URL, send the user to that location

That's asking for an open redirector from the most sensitive system you have. How would you control what URLs were "acceptable" to land on? That's why the protocol is designed the way it is, and doesn't accommodate that sort of thing.

-- Scott

More information about the users mailing list