Problem
The logout handler (`HandleLogout` in `routes.go:201-211`) accepts a `post_logout_redirect_uri` parameter and redirects to it without any validation:
```go
redirectURI := r.URL.Query().Get("post_logout_redirect_uri")
if redirectURI == "" {
redirectURI = "/oauth/login"
}
http.Redirect(w, r, redirectURI, http.StatusFound)
```
An attacker can craft a logout link like:
```
https://identity.ethanswan.com/oauth/logout?post_logout_redirect_uri=https://evil.com/phishing
```
If a user clicks this (or it's embedded in an email/page), they'll be logged out and redirected to the attacker's site — which could present a fake login page to capture credentials.
Why it matters
- Open redirect is an OWASP Top 10 finding under Broken Access Control
- Combined with logout, it enables convincing phishing: user sees a real logout, then a fake login page at the redirect target
- OIDC RP-Initiated Logout 1.0 spec requires that the OP validate the redirect URI
Fix
Validate `post_logout_redirect_uri` against the registered `redirect_uris` for the client (identified via an `id_token_hint` or `client_id` parameter), or maintain a separate per-client list of allowed post-logout URIs. If validation fails, redirect to the default login page.
Spec reference
Problem
The logout handler (`HandleLogout` in `routes.go:201-211`) accepts a `post_logout_redirect_uri` parameter and redirects to it without any validation:
```go
redirectURI := r.URL.Query().Get("post_logout_redirect_uri")
if redirectURI == "" {
redirectURI = "/oauth/login"
}
http.Redirect(w, r, redirectURI, http.StatusFound)
```
An attacker can craft a logout link like:
```
https://identity.ethanswan.com/oauth/logout?post_logout_redirect_uri=https://evil.com/phishing
```
If a user clicks this (or it's embedded in an email/page), they'll be logged out and redirected to the attacker's site — which could present a fake login page to capture credentials.
Why it matters
Fix
Validate `post_logout_redirect_uri` against the registered `redirect_uris` for the client (identified via an `id_token_hint` or `client_id` parameter), or maintain a separate per-client list of allowed post-logout URIs. If validation fails, redirect to the default login page.
Spec reference