Skip to main content

BackChannelLogoutUriValidator Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.DynamicClientManagement.Validation

BackChannelLogoutUriValidator Class

Validates the OIDC Back-Channel Logout 1.0 backchannel_logout_uri: when supplied it must be an absolute URI that the server is permitted to fetch under the active SSRF policy (SecureHttpFetchOptions). Because the OP itself POSTs the logout token to this endpoint, rejecting an internal/loopback or disallowed-scheme target at registration stops a registered client from becoming a (blind) SSRF vector and surfaces the problem to the caller up front rather than as a silent delivery failure at logout time. The outbound handler still re-validates at request time.

public class BackChannelLogoutUriValidator : Abblix.Oidc.Server.Endpoints.DynamicClientManagement.Validation.SyncClientRegistrationContextValidator

Inheritance System.ObjectSyncClientRegistrationContextValidator → BackChannelLogoutUriValidator

Constructors

BackChannelLogoutUriValidator(ISecureUriValidator) Constructor

Validates the OIDC Back-Channel Logout 1.0 backchannel_logout_uri: when supplied it must be an absolute URI that the server is permitted to fetch under the active SSRF policy (SecureHttpFetchOptions). Because the OP itself POSTs the logout token to this endpoint, rejecting an internal/loopback or disallowed-scheme target at registration stops a registered client from becoming a (blind) SSRF vector and surfaces the problem to the caller up front rather than as a silent delivery failure at logout time. The outbound handler still re-validates at request time.

public BackChannelLogoutUriValidator(Abblix.Oidc.Server.Features.SecureHttpFetch.ISecureUriValidator uriValidator);

Parameters

uriValidator ISecureUriValidator

The shared SSRF URI policy used by the outbound HTTP handler.