-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid redirect URI error when trying to allow redirect URI with random query parameter #30695
Comments
@rmartinc: I saw that you recently worked on |
Hi @bwaldvogel! The common (and recommended by OAuth 2.0 Security Best Current Practice and enforced by OAuth 2.1) is using exact redirect URI matching, everything, query parameters included. The only case where keycloak is doing something special, and out of the spec, is when it's using path wildcards (if condition |
Thanks for reporting this issue. However, after review this is not considered a valid issue, or has been recently resolved. As the issue is not valid it will be automatically closed. |
1 similar comment
Thanks for reporting this issue. However, after review this is not considered a valid issue, or has been recently resolved. As the issue is not valid it will be automatically closed. |
Ok, thanks for this info. |
Before reporting an issue
Area
core
Describe the bug
I want to configure a "Valid post logout redirect URIs" for URLs with random query parameter such as
I tried the following valid redirect URIs but none of them work
http:https://localhost:4000/logout
http:https://localhost:4000/logout?*
http:https://localhost:4000/logout?_csrf=*
As a workaround I could use
http:https://localhost:4000/logout*
or
http:https://localhost:4000/logout/*
but that would also allow redirects to other URLs such as
/logout-other
or/logout/other
, which I don’t want to permit.I found org.keycloak.protocol.oidc.utils.RedirectUtils#matchesRedirects which seems to strip off the query but only if there’s no question mark (
?
) in the URI:Version
25.0.1
Regression
Expected behavior
The redirect URI
http:https://localhost:8080/logout?_csrf=some-random-string
is considered valid whenhttp:https://localhost:8080/logout?*
orhttp:https://localhost:8080/logout?_csrf=*
is configured to be a valid redirect URI.Actual behavior
The
http:https://localhost:8080/logout?_csrf=some-random-string
URI is rejected with aninvalid_redirect_uri
errorHow to Reproduce?
http:https://localhost:8080/logout?*
orhttp:https://localhost:8080/logout?_csrf=*
as "Valid post logout redirect URIs" in the clienthttp:https://keycloak:port/realms/my-realm/protocol/openid-connect/logout?client_id=my-client&post_logout_redirect_uri=http:https://localhost:8080/logout?_csrf=e45bb8e8-b3a5-4d5b-9317-72f8d9854489
Anything else?
No response
The text was updated successfully, but these errors were encountered: