Idea: Don't use widcards for valid redirect URIs of admin console and and account console

[jbman]

Clients which are pre-configured by Keycloak define valid redirect URIs using a wildcard (*).

For the master realm, the following redirect URIs are set:

account-console: /realms/master/account/*
account: /realms/master/account/*
security-admin-console: /admin/master/console/*

Recently some open redirect attacks were found and fixed, which could be applied when a wildcard was used. To protect against potential flaws in wildcard based URI validation, it would be good to switch to fixed redirect URIs for Keycloaks own clients:

/realms/master/account/
/admin/master/console/

Systems could be secured by just removing the wildcard, but that would break deep linking into admin console or account console.
To retain deep linking functionality, applications would need to store the target path locally related by state parameter ID and use only one fixed Redirect URI to receive the OAuth2 code.

Should we create two issues, one for security-admin-console and one for the account console clients, to get future versions of Keycloak more secure by default?

[danielFesenmeyer]

I think that makes sense.
For seamless integration into custom apps, it would be great to have this functionality in keycloak.js (or the planned alternative) - afaik keycloak.js is used by both security-admin-console and account console now.