Thanks, Ray, for the quick response! I was more looking to see if anyone had advice on a better solution to the issue. I'm not sure whether my approach is a misuse of the callbackAuthorize endpoint.
Writing a comprehensive functional test for this seems challenging, due to Puppeteer's limitations around custom URL schemes. Instead, I've written a negative test to check that the custom URL scheme isn't treated as a relative path. In any case, I've opened a couple of PRs with this work: #8402 <https://github.com/apereo/cas/pull/8402> for the master branch, and #8403 <https://github.com/apereo/cas/pull/8403> for the 7.3.x branch. Happy to discuss these changes either here or on those PRs! Thanks, Jed Liu Software Engineer, eBird Cornell Lab of Ornithology On Tuesday, 3 February 2026 at 17:52:04 UTC-5 Ray Bon wrote: > Jed, > > See https://apereo.github.io/cas/developer/Contributor-Guidelines.html > You will need tests to go with your change (or update existing test). See > https://github.com/apereo/cas/tree/master/ci for functional tests. > Also check this blog, https://fawnoos.com/blog/ > > Ray > > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of Jed Liu < > [email protected]> > *Sent:* February 3, 2026 11:39 > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] OIDC post-logout redirects to custom URL schemes > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > We're encountering an issue with OIDC post-logout redirects (i.e., the > post_logout_redirect_uri query parameter to the oidcLogout > <https://github.com/apereo/cas/blob/13e64b9eabfc8072985a2f3b6fab8785575a94fc/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointController.java#L84> > > endpoint). When the redirect is to a custom URL scheme, it's interpreted > as a CAS-relative path. For example, a redirect intended for > custom://post_logout_redirect_uri > would instead go to > https://localhost:8443/cas/custom://post_logout_redirect_uri. > > In our CAS deployment, we've implemented a workaround, where we've > overridden OidcLogoutEndpointController.executeLogoutRedirect > <https://github.com/apereo/cas/blob/13e64b9eabfc8072985a2f3b6fab8785575a94fc/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointController.java#L176> > > to send the redirect via CAS's OAuth2 callbackAuthorize > <https://github.com/apereo/cas/blob/13e64b9eabfc8072985a2f3b6fab8785575a94fc/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/endpoints/OAuth20CallbackAuthorizeEndpointController.java#L45-L47> > > endpoint. We'd like to contribute a proper fix back to CAS, but we're not > sure what the preferred approach is. Any advice would be appreciated. > Thanks! > > > Jed Liu > Software Engineer, eBird > Cornell Lab of Ornithology > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/99700869-38b3-48ae-966c-5cb4359490a9n%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/99700869-38b3-48ae-966c-5cb4359490a9n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/388e6354-6ec1-465f-9a00-04e652680e42n%40apereo.org.
