Status: Closed (View Workflow)
Affects Version/s: 1.9.8.Final
Fix Version/s: 2.1.0.CR1
Per spec the redirect_uri parameters of an authorization request is 'required'. The value must exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider.
For reference, see http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [..]
However, using Keycloak the (1.9.8.Final) the behaviour exhibited is that: if there is just one, then the parameter is OPTIONAL and that single url is used to redirect the browser towards after succesful authentication.
The code that implements this can be found in RedirectUtils.java:
This may be convenient, but it does not comply to the specification.