Restrictions for redirect urls

[Thomas Darimont]

Hello Keycloak developers, 

I just stumpled upon this interesting document from microsoft that covers some limitations / restrictions that they apply for they azure active directory service (AAD).

https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

Especially interesting is the following section and rationale about allowing http:// and localhost  in the redirect URI:

https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url#localhost-exceptions

Perhaps Keycloak client-policies could be used to apply similar limits.

Cheers,

Thomas

[Stian Thorgersen]

Absolutely! We've already discussed this around client policy use-cases :)

I'm not 100% up to date on how the client policies work today, but what I had in mind was some built-in "safe redirect-uris" policy that can easily be enabled by a single option. I would like to see this enabled by default for new realms, but perhaps that is something we should rather do in Keycloak.X where we have options to run in dev-mode (kc start-dev) or production-mode (kc start), and could have more relaxed URIs for dev mode.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/70b0f900-43c7-43e0-84f6-8e2b92f99fa3n%40googlegroups.com.

[Stian Thorgersen]

Oh! I forgot to add that safe-redirect URIs in my opinion should:

* Not allow http://localhost

* Not allow any http redirects, with the exception of http://127.0.0.1

* Not allow wildcards except in the context-path (honestly I'd like to get rid of wildcards completely, but our adapters are designed a bit wrong here since they don't have a dedicated oauth callback endpoint)

* Anything else?!

[Thomas Darimont]

Hi Stian,

In the article [1] mentioned above the microsoft folks argue that redirect URLs like http(s)://localhost are safe because they never leave the device. 

Additionally the authors write that ports could be ignored for http(s)://localhost urls since native apps (Desktop / CLI) might use ephemeral ports for the OIDC callback URL. 

I think those points are worth a discussion. Allowing localhost in general would make it easier for developers to use an existing Keycloak realm. 

In my projects I usually create a local alias like dev.acme.local that points to 127.0.0.1 which is then rolled out to the developers /etc/hosts files. This also allows the distribution of certificates 

to ease testing https locally (via https://dev.acme.local).

The second point about relaxing the ports in localhost URLs could be quite useful for desktop and cli apps. Those apps might indeed open dynamic ports to accept an OIDC callback on 

random ephemeral ports due to port conflicts - I've seen that in several projects.

In order to allow that with the current Keycloak capabilities one needs to register a redirect URI like "http://127.0.0.1:*",  which is not nice...

I think such relaxations could make sense, but instead with localhost I'd only allow them for 127.0.0.1, since "localhost" might resolve to other IPs in some setups.

Cheers,

Thomas

[1] https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url#localhost-exceptions

[Ingo Bauersachs]

Yes, localhost might resolve to something else than 127.0.0.1 (which would be rather bizarre though). But please consider that localhost is not just 127.0.0.1 but actually 127.0.0.0/8. I use that quite frequently to avoid port conflicts during development.

 

Cheers,

Ingo

 

From: 'Thomas Darimont' via Keycloak Dev <keyclo...@googlegroups.com>
Sent: Samstag, 21. August 2021 13:15
To: Stian Thorgersen <st...@redhat.com>
Cc: Keycloak Dev <keyclo...@googlegroups.com>
Subject: Re: [keycloak-dev] Restrictions for redirect urls

 

***CAUTION: This email came from an external source, outside of our organization. Do not click on links or open attachments unless you are sure about where it comes from and know the content is safe. Xovis IT***

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAK-7U1hyFNHiR%2BG0bRXLpuy2LjDrHix0mCg0cgXHsj94DY3zLw%40mail.gmail.com.

[Stian Thorgersen]

I'm not quite following what you're actually suggesting/proposing here then. Keycloak already supports both http://localhost and http://127.0.0.1 as "special URIs" that allow any port.

[Thomas Darimont]

> Keycloak already supports both http://localhost and http://127.0.0.1 as "special URIs" that allow any port.

Aha! I didn't know that the port is ignored for localhost/127.0.0.1 :)

So a client could register a allowed redirect_uri for http://127.0.0.1/callback and Keycloak would accept callbacks to http://127.0.0.1:8080/callback, http://127.0.0.1:1234/callback and so on? Cool!

Cheers,

Thomas

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAJgngAeJvKuCHqf4U5omCQYEe0EcPHUttJAtVCb6CR5qgqTiuw%40mail.gmail.com.

[Stian Thorgersen]

On Mon, 23 Aug 2021 at 12:50, Thomas Darimont <thomas....@googlemail.com> wrote:

> Keycloak already supports both http://localhost and http://127.0.0.1 as "special URIs" that allow any port.

Aha! I didn't know that the port is ignored for localhost/127.0.0.1 :)

So a client could register a allowed redirect_uri for http://127.0.0.1/callback and Keycloak would accept callbacks to http://127.0.0.1:8080/callback, http://127.0.0.1:1234/callback and so on? Cool!

Yup, it was added in 12 or something like that.