How to handle redirect_uri with exact string matching in 24.0.3?

98 views
Skip to first unread message

Moritz Schmitz von Hülst

unread,
Apr 30, 2024, 2:48:00 AM4/30/24
to Keycloak User
Hi everyone,

With 24.0.3 `redirect_uri`s now require to be an exact match. For example `https://webpage.io/*` is not allowed anymore, only `https://webpage.io/`.

Now I was wondering how to handle UI flows with this. Take this flow:
1. User logs in and is being redirected to webapp.
2. User then navigates to some other page `https://webpage.io/account/me`.
3. Now the session expires and the `refresh_token` is also expired.
4. `keycloak-js` adapter sees invalid session, saves current location, navigates user to login page and sets `redirect_uri` to the previously visited page: `?redirect_uri=https://webpage.io/account/me`.
5. User logs in again and is redirected back to `https://webpage.io/account/me`.

Before 24.0.3 this was simple by setting the `redirect_uri` to `https://webpage.io/*, but now it requires to add a `redirect_uri`: `https://webpage.io/account/me` to work.

How should this be handled now? Do we need to add every single path as valid `redirect_uri`?

Probably we can solve this by writing some custom code to do this, but is there any best practice in regards to Keycloak and the Keycloak JS adapter?

D

unread,
May 3, 2024, 1:38:49 AM5/3/24
to Keycloak User
Hi Moritz,

I saw your question regarding the changes in Keycloak version 24.0.3 around redirect URIs. The documentation does seem confusing, but here are a few key points:

  1. Exact Matching: The guide mentions that redirect URIs need an exact string match when they contain a userinfo part or "access a parent directory" (e.g., /../).

  2. Wildcard Usage: This suggests wildcards might still be usable in other cases, such as when the URI doesn't contain a userinfo part or access a parent directory.

  3. Documentation: The terminology around "accessing a parent directory" is confusing, as we don't typically think of URL paths in this way. This makes the change feel more opaque. Given the ambiguity, I share your confusion. Reaching out to the maintainers or testing thoroughly in your environment might be necessary.

I hope this helps somewhat.

David

Reply all
Reply to author
Forward
0 new messages