Valid Redirect URIs for dynamic URLs

[Mark Lyck]

I'm setting up CI/CD to automatically deploy my application to a preview URL using vercel.com

these preview URLs are generated with a random string on every commit.

in keycloak if I add the entire string e.g. "https://c1-frontend-v4-dynamic-code.preview.vercel.app/"

I can login through keycloak fine. But no matter what I try I cannot get any wildcards to work...

I have tried:

 - `https://c1-frontend-v4-*.vercel.app`

 - `https://*.vercel.app/`

 - `https://*.vercel.app/*`

 - `https://*.vercel.app`

 - `*`

 - `+`

 - `/*`

 - `https://*`

 - `www.*`

after giving up, assuming it is some bug in keycloak I discovered the docs...

> Valid Redirect URIs

> 

> This is a required field. Enter in a URL pattern and click the + sign

> to add. Click the - sign next to URLs you want to remove. Remember

> that you still have to click the Save button! Wildcards (*) are only

> allowed at the end of a URI, i.e. http://host.com/*

> 

> You should take extra precautions when registering valid redirect URI

> patterns. If you make them too general you are vulnerable to attacks.

> See Threat Model Mitigation chapter for more information.

🤦‍♂️🤯... 

Surely there *must* be a way to allow login from dynamically generated urls for preview deployments?

This is a blocker for us using keycloak :(

Anyone know how to solve this, or if this is actually intentional where in the code we can change this in a fork?

Thanks,

Mark

[Thomas Darimont]

Hello Mark,

the redirect uri wildcard limitation is by design as the oauth spec recommends to use explicit redirect uris.

See here: 

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16

I agree with you that the redirect uri checking could be enhanced, as it is a common requirement to support dynamic subdomains, especially in CI/CD environments.

In your case https://* should work as redirect uri but is not recommended, as this would allow any https url to be used as redirect uri...

Another option could be to use the Keycloak Admin REST api or kcadm.sh tool to dynamically add the required redirect uri to the appropriate client configuration.

If you want to adjust the redirect uri check yourself, you can try to adapt the validation logic here:

https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java

You should be careful to only allow a wildcard in the subdomain part, but this might be difficult to get right, as there are many ways to write (confusing) URLs. Again take a look at the oauth security best current practices.

HTH, Cheers,

Thomas 

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/6f0ec01f-518a-4eb5-9c5a-4fbddd4c7158n%40googlegroups.com.

[Thomas Darimont]

... if your app is a SPA, you might need to configure the allowed web-origins for your client as: +

+ Allows any origin that is also part of a valid redirect uri.

Cheer,

Thomas

[Mark Lyck]

Hi Thomas!

Thanks for the quick reply!

I completely  understand the restriction for production applications. In our case it's a keycloak & realm specifically set up for testing, so there are no security concerns regarding redirect URIs (if  I could just turn them off I would)

I tried using `https://*` as well, but that doesn't seem to work either. :(

(my allowed web-origins has a "+")

Reminder: if I add the complete URL to the redirect URIs and click save it starts working instantly. So  I know  the changes I'm making are taking effect.

Thank you so much for pointing to the piece of code that handles it. But is our only option really to fork keycloak and spin up a custom version to use a dynamic preview URL in a test realm?

Alternatively is there a way to disable redirect URLs completely for a specific realm?

Best.

Mark

[Garth]

I've done a similar thing to what Thomas suggested for a customer with a similar need. On deploy of their app to Vercel, they needed to update the redirect URIs in one of their Keycloak Realm Clients. I build a step in their CI/CD pipeline to call the Keycloak Admin REST API from a service account once their app was deployed successfully, and I had a new hostname

The steps were basically:

1) get a token for the service account:
```
curl --location --request POST 'http://<host>/auth/realms/<realm>/protocol/openid-connect/token' \
--H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>' \
--data-urlencode 'grant_type=client_credentials'
```

2) get the client object I want to change:
```
curl 'http://<host>/auth/admin/realms/<realm>/clients/<client_id>' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <token_from_step_1>`
````

3) take the returned JSON object and update the `redirectUris` array to remove the old and add the new hostnames

4) put the client object back with the updated URIs:
```
curl 'http://<host>/auth/admin/realms/<realm>/clients/<client_id>' \
-X 'PUT' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <token_from_step_1>`
--data-binary '<updated_json_from_steps_2_and_3>'
```

Hope that helps,
Garth

> >>> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/6f0ec01f-518a-4eb5-9c5a-4fbddd4c7158n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/6f0ec01f-518a-4eb5-9c5a-4fbddd4c7158n%40googlegroups.com?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/keycloak-user/CAGLJinngNMM%2BuvcYq8iyXC90%2BQWSTqUo4D9V0fhjEpiCy0h75A%40mail.gmail.com <https://groups.google.com/d/msgid/keycloak-user/CAGLJinngNMM%2BuvcYq8iyXC90%2BQWSTqUo4D9V0fhjEpiCy0h75A%40mail.gmail.com?utm_medium=email&utm_source=footer>.