BackChannelLogoutUriValidator Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.DynamicClientManagement.Validation
BackChannelLogoutUriValidator Class
Validates the OIDC Back-Channel Logout 1.0 backchannel_logout_uri: when supplied it must be an
absolute URI that the server is permitted to fetch under the active SSRF policy
(SecureHttpFetchOptions). Because the OP itself POSTs the logout token to this endpoint,
rejecting an internal/loopback or disallowed-scheme target at registration stops a registered client
from becoming a (blind) SSRF vector and surfaces the problem to the caller up front rather than as a
silent delivery failure at logout time. The outbound handler still re-validates at request time.
public class BackChannelLogoutUriValidator : Abblix.Oidc.Server.Endpoints.DynamicClientManagement.Validation.SyncClientRegistrationContextValidator
Inheritance System.Object → SyncClientRegistrationContextValidator → BackChannelLogoutUriValidator
Constructors
BackChannelLogoutUriValidator(ISecureUriValidator) Constructor
Validates the OIDC Back-Channel Logout 1.0 backchannel_logout_uri: when supplied it must be an
absolute URI that the server is permitted to fetch under the active SSRF policy
(SecureHttpFetchOptions). Because the OP itself POSTs the logout token to this endpoint,
rejecting an internal/loopback or disallowed-scheme target at registration stops a registered client
from becoming a (blind) SSRF vector and surfaces the problem to the caller up front rather than as a
silent delivery failure at logout time. The outbound handler still re-validates at request time.
public BackChannelLogoutUriValidator(Abblix.Oidc.Server.Features.SecureHttpFetch.ISecureUriValidator uriValidator);
Parameters
uriValidator ISecureUriValidator
The shared SSRF URI policy used by the outbound HTTP handler.