New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iframe for frontend logout gets blocked if a custom CSP header is used #24568
Labels
area/core
kind/bug
Categorizes a PR related to a bug
priority/important
Must be worked on very soon
release/22.0.11
release/24.0.4
release/25.0.0
team/core-clients
team/rh-iam
Milestone
Comments
Related issue: #14203 |
rmartinc
added a commit
to rmartinc/keycloak
that referenced
this issue
Nov 6, 2023
stianst
added
team/core-shared
team/core-clients
and removed
team/core
team/core-shared
labels
Feb 2, 2024
keycloak-github-bot
bot
added
priority/important
Must be worked on very soon
and removed
action/priority-important
labels
Mar 1, 2024
rmartinc
added a commit
to rmartinc/keycloak
that referenced
this issue
Apr 5, 2024
rmartinc
added a commit
to rmartinc/keycloak
that referenced
this issue
Apr 5, 2024
rmartinc
added a commit
to rmartinc/keycloak
that referenced
this issue
Apr 5, 2024
Closes keycloak#24568 Signed-off-by: rmartinc <rmartinc@redhat.com>
mposolda
pushed a commit
that referenced
this issue
Apr 8, 2024
Closes #24568 Signed-off-by: rmartinc <rmartinc@redhat.com>
rmartinc
added a commit
to rmartinc/keycloak
that referenced
this issue
Apr 17, 2024
Closes keycloak#24568 Signed-off-by: rmartinc <rmartinc@redhat.com> (cherry picked from commit 2b769e5)
rmartinc
added a commit
to rmartinc/keycloak
that referenced
this issue
Apr 17, 2024
Closes keycloak#24568 Signed-off-by: rmartinc <rmartinc@redhat.com> (cherry picked from commit 2b769e5)
This was referenced Apr 18, 2024
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/core
kind/bug
Categorizes a PR related to a bug
priority/important
Must be worked on very soon
release/22.0.11
release/24.0.4
release/25.0.0
team/core-clients
team/rh-iam
Before reporting an issue
Area
core
Describe the bug
When Front channel logout is configured for a oidc client the logout is performed using an
iframe
to call the client front-channel URL. For example in my sample client:The CSP header by default is modified to allow client URL in the
iframe
adding the hostname of the client backchannel URL to theframe-src
poclicy. In my sample:If a custom CSP header is configured in the realm the
frame-src
is not modified and therefore the iframe is not called because it's not allowed. For example is I change my realmRealm Settings -> Security Defenses -> Content-Security-Policy
toframe-src 'self'; frame-ancestors 'self'; object-src 'none'; style-src 'self';
.I'm just adding the
style-src
directive to the default CSP value but now the CSP received by the browser is:And the backchannel URL is not called because it's not allowed by the CSP. So the client is not logged out.
Version
22.0.5
Expected behavior
I think we need a more intelligent design of the CSP header. I would do the following:
frame-src
andframe-ancestors
independently of the other directives.frame-src
add the hostnames needed to the current value defined by the realm (by default would be'self'
and transformed to'self
hostname1 hostname2...`.frame-ancestors
remove the directive if and only if the default'self'
is in place. This modification is needed for the login iframe used by the JS adapter. If the administrator has modified theframe-ancestors
it will be respected and not modified.Actual behavior
If the CSP header is customized at realm level the modifications for
frame-src
andframe-ancestors
are just not done. The logout or the iframe for login won't work.How to Reproduce?
frame-src 'self'; frame-ancestors 'self'; object-src 'none'; style-src 'self';
.Anything else?
No response
The text was updated successfully, but these errors were encountered: