How to set post_logout_redirect_uris in inrupt's solid_client_auth_browser libraries

I’m trying to implement the IDP logout using Inrupt’s javascript authn libraries. I’d like, following logout from the IDP, to be redirected back to a certain page in my app. I’m trying to use the postLogoutUrl option of the session.logout function to do this. However, whenever I do so, I get a 400 bad request error from the server. In my dev server’s logs (CSS) I have a message:
[IdentityProviderFactory] {Primary} warn: OIDC request failed: invalid_request - post_logout_redirect_uri not registered

I imagine this is happening because I do not have the “post_logout_redirect_uris” field properly set on my client ID document. However, that document is entirely managed by inrupt libraries, and I’m not sure how to set that field on the document. The login functions don’t seem to have such an option. Does anyone know how I can set these values?

Or more broadly how to redirect back to my app after logout?

However, that document is entirely managed by inrupt libraries, and I’m not sure how to set that field on the document. The login functions don’t seem to have such an option. Does anyone know how I can set these values?

This document is not managed by the Inrupt libraries, instead you need to generate this document yourself and host it from your application. To learn about Client ID Documents I suggest reading Appendix: Client ID Document (Browser & Node.JS) — Inrupt JavaScript Client Libraries. You can use Client Identifier Helper to assist in generating the Client ID document for your application.

I suspect your application currently performs dynamic registration in which there is no Client ID Document involved - instead your application is just assigned a non-dereferenceable ClientID (and thus has no associated Client ID Document).

However, since you are using CSS, the relevant question is - is CSS able to respond in the same way that ESS responds. AFAIK, CSS does not have a concept of ClientId, so this may be a red herring for you. If I’m wrong about CSS, someone please tell me -).

CSS now supports ACP and hence I’m fairly sure would support ClientID’s (I can see references to ClientID’s in the code Code search results · GitHub).

This is a good point to bring up @jeffz - as one indeed needs make sure that the CSS configuration you’re using has ACP enabled instead of WAC.

Oh, fantastic, I wasn’t aware of that. Great news for interoperability.

Ah that’s correct. Our app is using the dynamic registration. My bad

So is it the case that there is NO way to implement this feature with dynamic registration in the app?

Our app MUST declare and host a Client ID document in order to enable this feature?

Our app MUST declare and host a Client ID document in order to enable this feature?

Yes - that is correct.

This is because the OpenID specification (Final: OpenID Connect RP-Initiated Logout 1.0) requires applications to register the set of post_logout_redirect_uris during login (using the Client ID document) for security purposes.

If you store something in the browser's localstorage you can track therte what stage of the process you're in and if your page load checks there and does different stuff for different findings, I think you can klduge a way to redirect after the logout.

@jeffz - whether you can do this would depend on whether you’re doing IDP logout or not.

In the case of IDP logout as described in solid-client-authn-js/packages/browser/src/Session.ts at 2cfca75da525b904def9f0f9393d0e14d96c526a · inrupt/solid-client-authn-js · GitHub; you are redirected to the Solid Server as part of the logout process - you will stay on the servers logout page unless you have provided a post_logout_redirect_uri. Since you are not on your applications page at this point in time - there is no way of controlling the flow to redirect back to your application.

In the case of app only logout you’re application will remain in context and thus could redirect as it likes.

To sumarise above:

• If you’re performing app logout, you never redirect away from your application - so you can control where it redirects to.
• If you’re performing IDP logout then you will need
  • A server implementing ACP, in the case of CSS make sure you’re using an ACP configuration
  • Your application to have a ClientID Document which contains the post_logout_redirect_uris you want to use

Ok that makes sense to me. I should be able to resolve this issue now. Thanks everyone!

How is ClientID and ACP related? I thought it didn’t matter for ClientID which access control method was used.

How is ClientID and ACP related?

Good point @mrkvon - now that I think about it you can have servers that support static client registration & IDP logout without needing to implement ACP.

What was in my head at the time is that servers implementing ACP need to support client matchers and so need to have some level of infrastructure for statically registered client identifiers. And it happens to be the case for CSS that this functionality was added at the same time as ACP as far as I can tell.