fix: check for native logout redirect allowed same way as during auth

panva · panva · commit 419f286529fd · 2025-08-23T10:05:20.000+02:00
resolves: #1351
diff --git a/lib/models/client.js b/lib/models/client.js
@@ -428,11 +428,11 @@ export default function getClient(provider) {
       return this.grantTypes.includes(type);
     }
 
-    redirectUriAllowed(value) {
+    #redirectAllowed(value, allowedUris) {
       const parsed = URL.parse(value);
       if (!parsed) return false;
 
-      const match = this.redirectUris.find((allowed) => URL.parse(allowed)?.href === parsed.href);
+      const match = allowedUris.find((allowed) => URL.parse(allowed)?.href === parsed.href);
       if (
         !!match
         || this.applicationType !== 'native'
@@ -444,7 +444,7 @@ export default function getClient(provider) {
 
       parsed.port = '';
 
-      return !!this.redirectUris
+      return !!allowedUris
         .find((allowed) => {
           const registered = URL.parse(allowed);
           if (!registered) return false;
@@ -453,11 +453,12 @@ export default function getClient(provider) {
         });
     }
 
+    redirectUriAllowed(value) {
+      return this.#redirectAllowed(value, this.redirectUris);
+    }
+
     postLogoutRedirectUriAllowed(value) {
-      const parsed = URL.parse(value);
-      if (!parsed) return false;
-      return !!this.postLogoutRedirectUris
-        .find((allowed) => URL.parse(allowed)?.href === parsed.href);
+      return this.#redirectAllowed(value, this.postLogoutRedirectUris);
     }
 
     static async validate(metadata) {
diff --git a/test/oauth_native_apps/oauth_native_apps.test.js b/test/oauth_native_apps/oauth_native_apps.test.js
@@ -74,10 +74,14 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           response_types: ['id_token'],
           token_endpoint_auth_method: 'none',
           redirect_uris: ['http://127.0.0.1:2355/op/callback'],
+          post_logout_redirect_uris: ['http://127.0.0.1:2355/op/logout'],
         }).then((client) => {
           expect(client.redirectUriAllowed('http:')).to.be.false;
           expect(client.redirectUriAllowed('http://127.0.0.')).to.be.false;
           expect(client.redirectUriAllowed('http://127.0.0.1::')).to.be.false;
+          expect(client.postLogoutRedirectUriAllowed('http:')).to.be.false;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.')).to.be.false;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1::')).to.be.false;
         });
       });
 
@@ -89,13 +93,21 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           response_types: ['id_token'],
           token_endpoint_auth_method: 'none',
           redirect_uris: ['http://localhost:2355/op/callback'],
+          post_logout_redirect_uris: ['http://localhost:2355/op/logout'],
         }).then((client) => {
           expect(client.redirectUris).to.contain('http://localhost:2355/op/callback');
           expect(client.redirectUriAllowed('http://localhost/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:80/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:443/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:2355/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:8888/op/callback')).to.be.true;
+
+          expect(client.postLogoutRedirectUris).to.contain('http://localhost:2355/op/logout');
+          expect(client.postLogoutRedirectUriAllowed('http://localhost/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:80/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:443/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:2355/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:8888/op/logout')).to.be.true;
         });
       });
 
@@ -107,13 +119,21 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           response_types: ['id_token'],
           token_endpoint_auth_method: 'none',
           redirect_uris: ['http://localhost/op/callback'],
+          post_logout_redirect_uris: ['http://localhost/op/logout'],
         }).then((client) => {
           expect(client.redirectUris).to.contain('http://localhost/op/callback');
           expect(client.redirectUriAllowed('http://localhost/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:80/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:443/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:2355/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://localhost:8888/op/callback')).to.be.true;
+
+          expect(client.postLogoutRedirectUris).to.contain('http://localhost/op/logout');
+          expect(client.postLogoutRedirectUriAllowed('http://localhost/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:80/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:443/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:2355/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://localhost:8888/op/logout')).to.be.true;
         });
       });
 
@@ -125,13 +145,21 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           response_types: ['id_token'],
           token_endpoint_auth_method: 'none',
           redirect_uris: ['http://127.0.0.1:2355/op/callback'],
+          post_logout_redirect_uris: ['http://127.0.0.1:2355/op/logout'],
         }).then((client) => {
           expect(client.redirectUris).to.contain('http://127.0.0.1:2355/op/callback');
           expect(client.redirectUriAllowed('http://127.0.0.1/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:80/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:443/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:2355/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:8888/op/callback')).to.be.true;
+
+          expect(client.postLogoutRedirectUris).to.contain('http://127.0.0.1:2355/op/logout');
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:80/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:443/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:2355/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:8888/op/logout')).to.be.true;
         });
       });
 
@@ -143,13 +171,21 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           response_types: ['id_token'],
           token_endpoint_auth_method: 'none',
           redirect_uris: ['http://127.0.0.1/op/callback'],
+          post_logout_redirect_uris: ['http://127.0.0.1/op/logout'],
         }).then((client) => {
           expect(client.redirectUris).to.contain('http://127.0.0.1/op/callback');
           expect(client.redirectUriAllowed('http://127.0.0.1/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:80/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:443/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:2355/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://127.0.0.1:8888/op/callback')).to.be.true;
+
+          expect(client.postLogoutRedirectUris).to.contain('http://127.0.0.1/op/logout');
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:80/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:443/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:2355/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://127.0.0.1:8888/op/logout')).to.be.true;
         });
       });
 
@@ -161,13 +197,21 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           response_types: ['id_token'],
           token_endpoint_auth_method: 'none',
           redirect_uris: ['http://[::1]:2355/op/callback'],
+          post_logout_redirect_uris: ['http://[::1]:2355/op/logout'],
         }).then((client) => {
           expect(client.redirectUris).to.contain('http://[::1]:2355/op/callback');
           expect(client.redirectUriAllowed('http://[::1]/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:80/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:443/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:2355/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:8888/op/callback')).to.be.true;
+
+          expect(client.postLogoutRedirectUris).to.contain('http://[::1]:2355/op/logout');
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:80/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:443/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:2355/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:8888/op/logout')).to.be.true;
         });
       });
 
@@ -179,17 +223,25 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           response_types: ['id_token'],
           token_endpoint_auth_method: 'none',
           redirect_uris: ['http://[::1]/op/callback'],
+          post_logout_redirect_uris: ['http://[::1]/op/logout'],
         }).then((client) => {
           expect(client.redirectUris).to.contain('http://[::1]/op/callback');
           expect(client.redirectUriAllowed('http://[::1]/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:80/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:443/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:2355/op/callback')).to.be.true;
           expect(client.redirectUriAllowed('http://[::1]:8888/op/callback')).to.be.true;
+
+          expect(client.postLogoutRedirectUris).to.contain('http://[::1]/op/logout');
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:80/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:443/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:2355/op/logout')).to.be.true;
+          expect(client.postLogoutRedirectUriAllowed('http://[::1]:8888/op/logout')).to.be.true;
         });
       });
 
-      it('rejects http protocol uris not using loopback uris', function () {
+      it('rejects http protocol redirect_uris not using loopback uris', function () {
         return assert.rejects(addClient(this.provider, {
           application_type: 'native',
           client_id: 'native-custom',
@@ -203,6 +255,22 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
           return true;
         });
       });
+
+      it('rejects http protocol post_logout_redirect_uris not using loopback uris', function () {
+        return assert.rejects(addClient(this.provider, {
+          application_type: 'native',
+          client_id: 'native-custom',
+          grant_types: ['implicit'],
+          response_types: ['id_token'],
+          token_endpoint_auth_method: 'none',
+          redirect_uris: ['http://[::1]/op/callback'],
+          post_logout_redirect_uris: ['http://rp.example.com/op/logout'],
+        }), (err) => {
+          expect(err).to.have.property('message', 'invalid_client_metadata');
+          expect(err).to.have.property('error_description', 'post_logout_redirect_uris for native clients using http as a protocol can only use loopback addresses as hostnames');
+          return true;
+        });
+      });
     });
   });
 });
