The return URL (https://application-test.ab.app/logged-out in this case) must be registered in the PostLogoutRedirectUris column of your OpenIddictApplications table — otherwise, the redirect won’t be accepted.
Here in your example url is to application url. Did you ment auth-server url? And is correct url in auth server Account/logout? Or do you ment that I first redirect with postlogouturl and I also add some other returnurl that after user is directed to Account/Logout user is redirected also to logged-out url in my application? I'm little bit confused how this should be configured. And what makes auth server to forget __tenant.
My logout button is using import { AuthService } from '@abp/ng.core'; authService.logout().subscribe();
Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
So we need to take auth code to our repo. We have tried to avoid that to ease versio upgrades. But maybe we this is only temporal solution and after we update to 9 there is already that fix and we can remove our custom code. What is minimum amount of code/module we need to take and override? Do we need to override only login and registration pages and is it possible to only override them and not take whole auth server code base?
So is this going to be fixed when? And is change coming only to 9 version or also to 8 version? And how big security risk do you think this is? Because for my perspective it is quite big.
Yes but still user can select first his own tenant where he/she has permission to login. Then after that login user change to other tenant and goes to wrong tenant where he was not authorized.
If user change tenant to other before login then he cannot even login to third party auth provider and there is no problem.
Yep that is what it should that user can change before login but after user has logged in third party(Microsoft) user should to be able to change tenant. Are you going to change this when? Because this is quite big security risk.
May I add that I get those errors only when running proejct locally with ng serve. When I publish my project to server there is no errors in console.
But if you change tenant before login it uses that users external login settings where user has no permissions. But in my descripted scenario user selects own tenant where he/she hasn't yet registered and login using that tenants external login settings. After external login where user has been verified by its own tenant settings user can change to other tenant and register himself to that tenant without any verification that user has rights to that tenant. Other tenant names can be guess quite easily because in our company we have many reference customers in our website where user can find company names.
Or is there possibility to always forget selected tenant?
We don't yet have those login and register codes loaded and would like it that way. So is there any configuration possibility. Like postLogoutUrl or something? There is two level of post log out urls for example, there is configuration at angular side and then there is same kind of settings with Azure EntraId. Currently I don't set postlogout url but what it should be or is there any difference?
