When I click logout in a .Net client application I am successfully logged out if the end session end point ("end_session_endpoint" in the discovery document) uses the domain name. For example, the framework redirects to the identity server (Gluu) with the below url and it logs out the application perfectly.
https://my-gluu-server.com/oxauth/seam/resource/restv1/oxauth/end_session?
post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44300%2Fsignout-callback-oidc
&id_token_hint=<MY JWT...>
&state=CfDJ8AjASIR7C_....
&x-client-SKU=ID_NETSTANDARD2_0
&x-client-ver=5.5.0.00
But when I change it to use the IP address (because the domain name is not resolvable where we intend to host it) it fails to logout. When I click a private page it goes back to the Gluu server and no login is required (because I am not logged out), it then redirects me back to the .Net client application.
https://10.10.10.10/oxauth/seam/resource/restv1/oxauth/end_session?
post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44300%2Fsignout-callback-oidc
&id_token_hint=<MY JWT...>
&state=CfDJ8AjASIR7C_....
&x-client-SKU=ID_NETSTANDARD2_0
&x-client-ver=5.5.0.0
Is Gluu or the OIDC flow checking the url (issuer?) and if so is there a way to work around this, so that both the IP address and domain name can be recognised as valid?
Thanks.
You can not use HTTPS against an IP-address:
You must always use a domain when you use HTTPS, otherwise you have to use HTTP. But using HTTP will give you other problems, especially with the cookies that the browser will reject. So, get a domain for 10.10.10.10 that the client will trust.