Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1371

[GHI#24568] iframe for frontend logout gets blocked if a custom CSP header is used

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      core

      Describe the bug

      When Front channel logout is configured for a oidc client the logout is performed using an iframe to call the client front-channel URL. For example in my sample client:

      ```html
      <li>
      sample-rhsso
      <iframe src="http://localhost:8081/sample-rhsso/logout?sid=310d5fbf-7df7-4d75-957d-46208cdb77c2&iss=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Fmaster" style="display:none;"></iframe>
      </li>
      ```

      The CSP header by default is modified to allow client URL in the iframe adding the hostname of the client backchannel URL to the frame-src poclicy. In my sample:

      ```
      Content-Security-Policy: frame-src localhost:8081 ; object-src 'none';
      ```

      If a custom CSP header is configured in the realm the frame-src is not modified and therefore the iframe is not called because it's not allowed. For example is I change my realm Realm Settings -> Security Defenses -> Content-Security-Policy to frame-src 'self'; frame-ancestors 'self'; object-src 'none'; style-src 'self';.

      I'm just adding the style-src directive to the default CSP value but now the CSP received by the browser is:

      ```
      Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; style-src 'self';
      ```

      And the backchannel URL is not called because it's not allowed by the CSP. So the client is not logged out.

      Version

      22.0.5

      Expected behavior

      I think we need a more intelligent design of the CSP header. I would do the following:

      • Manage frame-src and frame-ancestors independently of the other directives.
      • For frame-src add the hostnames needed to the current value defined by the realm (by default would be 'self' and transformed to 'self hostname1 hostname2...`.
      • For frame-ancestors remove the directive if and only if the default 'self' is in place. This modification is needed for the login iframe used by the JS adapter. If the administrator has modified the frame-ancestors it will be respected and not modified.

      Actual behavior

      If the CSP header is customized at realm level the modifications for frame-src and frame-ancestors are just not done. The logout or the iframe for login won't work.

      How to Reproduce?

      1. Create an OIDC client with Front channel logout to ON and Front-channel logout URL configured.
      2. Test that by default the CSP and iframe is OK and the frontchannel URL is called.
      3. Modify the realm setting CSP to frame-src 'self'; frame-ancestors 'self'; object-src 'none'; style-src 'self';.
      4. Check the CSP is just sent as configured in the realm and the iframe URL is not called.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: