403 Forbidden error on logout redirect
Hello Kinde Support,
I’m implementing OpenID Connect authentication in an ASP.NET Core (Blazor Server) application using the standard logout flow (/logout → signout-callback-oidc).
Login works as expected, but when triggering the logout I get redirected to:
https://<my-org>.kinde.com/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7079%2Fsignout-callback-oidc&id_token_hint=...
and receive a 403 Forbidden response.
In the application settings I’ve already added the following URLs to Allowed Logout Redirect URLs:
• https://localhost:7079/signout-callback-oidc
• https://mydomain.com/signout-callback-oidc
However, I still get the 403 error.
Could you please confirm if there are any additional settings required to accept the post_logout_redirect_uri in the logout flow?
Thank you for your support,
Guilherme7 Replies
Hi Guilherme,
Hope you are having a great weekend.
The 403 Forbidden error when using the
post_logout_redirect_uri in the logout flow usually indicates that the provided redirect URI is not exactly matching what is registered in your Kinde application's Allowed logout redirect URLs list. Here are the key things to check:
1. Exact String Match: The post_logout_redirect_uri parameter in the logout request must match exactly (character-for-character, including protocol, port, and path) with one of the URLs listed in your application's Allowed logout redirect URLs in Kinde.
2. No Trailing Spaces: Ensure there are no leading or trailing spaces in your registered URLs in the Kinde dashboard.
3. Protocol and Port: If your app runs on https://localhost:7079, the registered URL must include both the protocol (`https`) and the port (`7079`). For example:
https://localhost:7079/signout-callback-oidc
4. Multiple Environments: If you use different URLs for local development and production, ensure both are present and correct in the Allowed logout redirect URLs.
5. Case Sensitivity: URL matching is case-sensitive. Make sure the casing matches exactly.
Additional Notes:
- No extra configuration is required beyond what is described above for logout redirect URLs. There are no hidden or undocumented settings—just ensure the URLs are a precise match.
- After updating your Allowed logout redirect URLs, make sure to save changes in the Kinde dashboard and redeploy or restart your application if it caches environment variables or configuration.
If you have confirmed all of the above and still receive a 403, double-check that the actual URL being sent as post_logout_redirect_uri in the logout request matches exactly what is in the Allowed logout redirect URLs field in Kinde.Hi Patrick,
I’ve reviewed my configuration multiple times and have registered the correct URLs in the Kinde dashboard (both for local development and production).
However, I’m still consistently receiving a 403 Forbidden when performing the logout flow.
Here is an example of the generated logout URL:
https://signatarium.kinde.com/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7079%2Fsignout-callback-oidc&id_token_hint=...
I have already added the following to the Allowed logout redirect URLs list in my application settings:
• https://localhost:7079/signout-callback-oidc
• https://app.signatarium.com/signout-callback-oidc
Despite this, the logout request above still returns 403 Forbidden.
Could you please help me identify why the post_logout_redirect_uri is not being accepted, even though it matches the allowed logout redirect URLs?
Thanks
Hi there,
Since you have confirmed the URLs are correctly set, please consider the following additional checks:
1. URL Encoding: The URL in the query parameter should be URL-encoded, but when Kinde compares the value, it decodes it and compares the raw value to the allowed URLs.
2. Restart/Deploy: If your application or environment uses cached configuration or environment variables, restart or redeploy after updating the allowed URLs.
If you have verified all of the above and the issue persists, you may want to update the Allowed logout redirect URLs via the Management API to ensure there is no UI caching or sync issue. You can update them with a request to the Management API endpoint:
PUT /api/v1/applications/{app_id}/auth_logout_urls
{
"urls": [
"https://localhost:7079/signout-callback-oidc",
"https://app.signatarium.com/signout-callback-oidc"
]
}
This ensures the values are set exactly as needed.
Hello there,
From what I was able to verify, the logout flow works correctly when logging in through the standard method (email + code).
However, when I enable Google OAuth login and sign in using Google, the logout request always returns 403 Forbidden.
Could you please advise on how to proceed in this case? Is there any additional configuration required for logout to work properly with users authenticated via Google?
Thank you in advance for your support.
Best regards
Hi there,
Could you share the logout link where you get 403 error?
Thanks for providing the details.
The id_token_hint parameter must be a valid ID token for the session being terminated. If the token has expired, or is malformed, Kinde may return a 403. Please double-check that your id_token_hint and post_logout_redirect_uri are correct and current.
If the issue persists, please try generating a fresh Google login and immediately logging out to rule out token expiry issues.
One more thing, please review your browser's cookies and session handling to ensure no cross-session contamination.
Please confirm these things and let me know how it goes.