goto urls are ignored unless they are added to the validation service, this behaviour is not reflected in the documentation
By default, AM redirects the user to the URL specified in the goto and gotoOnFail query string parameters supplied to the authentication interface during login and logout. You can increase security against possible phishing attacks through open redirect by specifying a list of valid URL resources using the Validation Service.
If this behaviour is intentional the docs should reflect it
goto urls are ignored unless they are added to the validation service