Hello Issaka,
thanks for sharing the script. I can't see a relation to the reported
problem though. Why does the script remove "logoutRedirectUrl" from the
flowScope when "service" is not present (while
DefaultLogoutRedirectionStrategy
<https://github.com/apereo/cas/blob/v7.3.0/core/cas-server-core-logout-api/src/main/java/org/apereo/cas/logout/DefaultLogoutRedirectionStrategy.java>
reads
the logout URL from CAS properties, not from flowScope)? And how do you
tell CAS to use this script?
Best regards
Petr
On Thursday, 20 November 2025 at 15:36:51 UTC+1 Issaka Rabo Moutari wrote:
> Hello team, I came across this bug and developed a Groovy script as a
> solution. I'm sharing it with you in case it might be helpful to others !
>
> Object run(Object... args) {
> def context = args[0]
> def logger = args[1]
>
> def httpRequest =
> WebUtils.getHttpServletRequestFromExternalWebflowContext(context)
> def service = httpRequest.getParameter("service")
>
> def flowScope = context.flowScope
>
> logger.info("Custom logout interceptor. Incoming service =
> ${service}")
>
> if (!service) {
> // Supprimer l'URL de redirection
> if (flowScope.contains("logoutRedirectUrl")) {
> flowScope.remove("logoutRedirectUrl")
> }
>
>
> }
>
> return new Event(this, "success")
> }
> Le mercredi 15 octobre 2025 à 14:32:04 UTC+1, Petr Bodnár a écrit :
>
>> Hello,
>>
>> we have found several surprising issues/bugs in the CAS class
>> DefaultLogoutRedirectionStrategy
>> <https://github.com/apereo/cas/blob/v7.3.0/core/cas-server-core-logout-api/src/main/java/org/apereo/cas/logout/DefaultLogoutRedirectionStrategy.java>
>>
>> in relation to the CAS setting "cas.view.default-redirect-url", i.e.
>> the default login/logout URL. These go probably back to CAS version 6.x.
>>
>> One the issues is that due to the logic in this class, CAS ignores the
>> *post_logout_redirect_uri* request parameter *when a default
>> login/logout URL is set in CAS properties*.
>>
>> For now, we have fixed this issue with OIDC (and possibly also with other
>> logout flows - see all the usages of *putLogoutRedirectUrl(final
>> HttpServletRequest request, final String service)*) by simply moving the
>> class's code which reads and uses the variable
>> *authorizedRedirectUrlFromRequest* to the very beginning of the method.
>>
>> Anyone else facing similar issue? And while the fix seems 100% logical,
>> maybe we have overlooked something?
>>
>> Best regards
>> Petr
>>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccbfe724-5e3d-4a7f-bbc9-2ce2ea621021n%40apereo.org.
