This article explains why an error occurs when users are redirected after signing out with a returnTo query parameter. After a user signs out, they are not redirected back to the expected application and instead receive the following error:

The "returnTo" querystring parameter "[...]" is not defined as a valid URL in "Allowed Logout URLs".

• Logout
• Redirection
• Allowed Logout URLs

This error occurs because the URL specified in the returnTo parameter is not included in the Allowed Logout URLs list or there is no client_id in the logout request. This list can be configured at the application level or the tenant level. The validation fails in the following scenarios:

• The logout request includes a client_id, but the returnTo URL is not in the application's Allowed Logout URLs list.
• The logout request does not include a client_id, and the returnTo URL is not in the tenant's Allowed Logout URLs list.

To resolve this issue, add the returnTo URL to the appropriate Allowed Logout URLs list.

If the logout request includes a client_id and is specific to an application:

1. Navigate to Applications and select the relevant application.
2. In the Settings tab, locate the Allowed Logout URLs field.
3. Enter the URL specified in the returnTo parameter into the list.
4. Select the Save Changes button.

If the logout request does not include a client_id:

1. Navigate to Settings and select the Advanced tab.
2. Locate the Allowed Logout URLs field.
3. Enter the URL specified in the returnTo parameter into the list.
4. Select the Save button.

Related References

• Authentication API
• Subdomain URL Placeholders