Hi, - The `frontchannel_logout_uri`, defined on https://openid.net/specs/openid-connect-frontchannel-1_0.html, requires the "domain, port, and scheme of this URL MUST be the same as that of a registered Redirection URI value". This is understandable, because this URI is used to control the front-channel, i.e., the user's browser.
- However I could not found a similar requirement for the URIs in `post_logout_redirect_uris` (defined in https://openid.net/specs/openid-connect-session-1_0.html). Question 1: The sentence "same as that of a registered Redirection URI value" refers to exactly the registered `redirect_uris`? Question 2: If so, shouldn't the URIs in `post_logout_redirect_uris` also be subject to the same requirements? Thanks, Pedro
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
