403 Forbidden error on logout redirect
Hello Kinde Support,
I’m implementing OpenID Connect authentication in an ASP.NET Core (Blazor Server) application using the standard logout flow (/logout → signout-callback-oidc).
Login works as expected, but when triggering the logout I get redirected to:
https://<my-org>.kinde.com/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7079%2Fsignout-callback-oidc&id_token_hint=...
and receive a 403 Forbidden response.
In the application settings I’ve already added the following URLs to Allowed Logout Redirect URLs:
• https://localhost:7079/signout-callback-oidc
• https://mydomain.com/signout-callback-oidc
However, I still get the 403 error.
Could you please confirm if there are any additional settings required to accept the post_logout_redirect_uri in the logout flow?
Thank you for your support,
Guilherme1 Reply
Hi Guilherme,
Hope you are having a great weekend.
The 403 Forbidden error when using the
post_logout_redirect_uri in the logout flow usually indicates that the provided redirect URI is not exactly matching what is registered in your Kinde application's Allowed logout redirect URLs list. Here are the key things to check:
1. Exact String Match: The post_logout_redirect_uri parameter in the logout request must match exactly (character-for-character, including protocol, port, and path) with one of the URLs listed in your application's Allowed logout redirect URLs in Kinde.
2. No Trailing Spaces: Ensure there are no leading or trailing spaces in your registered URLs in the Kinde dashboard.
3. Protocol and Port: If your app runs on https://localhost:7079, the registered URL must include both the protocol (`https`) and the port (`7079`). For example:
https://localhost:7079/signout-callback-oidc
4. Multiple Environments: If you use different URLs for local development and production, ensure both are present and correct in the Allowed logout redirect URLs.
5. Case Sensitivity: URL matching is case-sensitive. Make sure the casing matches exactly.
Additional Notes:
- No extra configuration is required beyond what is described above for logout redirect URLs. There are no hidden or undocumented settings—just ensure the URLs are a precise match.
- After updating your Allowed logout redirect URLs, make sure to save changes in the Kinde dashboard and redeploy or restart your application if it caches environment variables or configuration.
If you have confirmed all of the above and still receive a 403, double-check that the actual URL being sent as post_logout_redirect_uri in the logout request matches exactly what is in the Allowed logout redirect URLs field in Kinde.