Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13933 Client Policies
  3. KEYCLOAK-17938

Not possible to create client in the admin console when client policy with "secure-redirecturi-enforce-executor" condition is used

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 14.0.0
    • Component/s: None
    • Labels:
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Steps to reproduce:

      • Configure client policies in a way, that there is client policy applied for admin console client creation request, which points to the client profile with "secure-redirecturi-enforce-executor"
      • Login as admin to the admin console and try to create client. It will fail due the "secure-redirecturi-enforce-executor" . Reason is, that the initial admin console screen for "create client" does not allow to specify things like "redirect URI" . Just the "root URL" of the client.

      Possible improvement:

      • In case that redirectUri on the client is not specified, just allow the request to pass (It should be fine as for the OIDC requests, it is needed that redirect URI exists. So the fact that client does not have "redirect_uri" should not be a security concern
      • Not strictly needed to address the issue above, but optionally, we can improve this executor by add configuration option to check also other client URIs (not just the redirect URI) if they are "https" . Like web origin, root URL and admin URL.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mposolda Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: