Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3147

OpenID Connect auth request redirect_uri behaviour not according to spec

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: 1.9.8.Final
    • Fix Version/s: 2.1.0.CR1
    • Component/s: OIDC
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • Create a realm named 'demo' with OpenId Connect enabled.
      • Start an authentication flow by opening 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?scope=openid&client_id=account&response_type=none' in your browser.
      Show
      Create a realm named 'demo' with OpenId Connect enabled. Start an authentication flow by opening 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?scope=openid&client_id=account&response_type=none' in your browser.

      Description

      Per spec the redirect_uri parameters of an authorization request is 'required'. The value must exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider.

      For reference, see http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

      redirect_uri
      REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in [..]

      However, using Keycloak the (1.9.8.Final) the behaviour exhibited is that: if there is just one, then the parameter is OPTIONAL and that single url is used to redirect the browser towards after succesful authentication.

      The code that implements this can be found in RedirectUtils.java:

      private static String verifyRedirectUri(UriInfo uriInfo, String rootUrl, String redirectUri, RealmModel realm, Set<String> validRedirects) {
              if (redirectUri == null) {
                  if (validRedirects.size() != 1) return null;
                  String validRedirect = validRedirects.iterator().next();
                  int idx = validRedirect.indexOf("/*");
                  if (idx > -1) {
                      validRedirect = validRedirect.substring(0, idx);
                  }
                  redirectUri = validRedirect;
              }
              <..>
      }
      

      This may be convenient, but it does not comply to the specification.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mposolda Marek Posolda
              Reporter:
              dick.eimers Dick Eimers (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: