Allow http scheme in post logout redirect URIs

Author: Qup42

docs/settings.rst

@@ -328,6 +328,12 @@ Default: ``True``
 Whether to always prompt the :term:`Resource Owner` (End User) to confirm a logout requested by a
 :term:`Client` (Relying Party). If it is disabled the :term:`Resource Owner` (End User) will only be prompted if required by the standard.
 
+OIDC_RP_INITIATED_LOGOUT_STRICT_REDIRECT_URIS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``False``
+
+Enable to only allow the `http` scheme in post logout redirect URIs when a :term:`Client` is `confidential`.
+
 OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Default: ``True``

oauth2_provider/settings.py

@@ -90,6 +90,7 @@
     ],
     "OIDC_RP_INITIATED_LOGOUT_ENABLED": False,
     "OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT": True,
+    "OIDC_RP_INITIATED_LOGOUT_STRICT_REDIRECT_URIS": False,
     "OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS": True,
     "OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS": True,
     # Special settings that will be evaluated at runtime

oauth2_provider/views/oidc.py

@@ -259,7 +259,9 @@ def validate_logout_request(request, id_token_hint, client_id, post_logout_redir
         scheme = urlparse(post_logout_redirect_uri)[0]
         if not scheme:
             raise InvalidOIDCRedirectURIError("A Scheme is required for the redirect URI.")
-        if scheme == "http" and application.client_type != "confidential":
+        if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_STRICT_REDIRECT_URIS and (
+            scheme == "http" and application.client_type != "confidential"
+        ):
             raise InvalidOIDCRedirectURIError("http is only allowed with confidential clients.")
         if scheme not in application.get_allowed_schemes():
             raise InvalidOIDCRedirectURIError(f'Redirect to scheme "{scheme}" is not permitted.')