-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post Logout Redirect URIs "+" behavior is inconsistent with other usages (i.e. Web Origins) #25544
Comments
The reason for this is that people should actually not use the '+' to just use the 'redirect_uri' also for post logout (this was the old behaviour when 'post_logout_redirect_uris' could not be specified). The intention is that people should rather specify their post logout uri's explicitely. The '+' was mostly added to stay compatible using a migration. I could imagine that the '+' goes away at some point. So I am not sure this change is a good idea as it basically means the '+' will stay. |
@sschu I understand your point. But TBH I don't think that I can imagine we can improve with client policies to allow more strict validations for redirect uris and post logout redirect uris (Like support for disallow using any wildcards or So for me, the changes in the PR looks acceptable as of now? |
@mposolda Also fine for me. I will also try to find out whether we still need these legacy switches. |
…RIs and merge with existing post logout redirect URIs Closes keycloak#25544 Signed-off-by: Joshua Sorah <jsorah@redhat.com>
@sschu Cool, Thanks! |
…RIs and merge with existing post logout redirect URIs Closes #25544 Signed-off-by: Joshua Sorah <jsorah@redhat.com>
…RIs and merge with existing post logout redirect URIs Closes keycloak#25544 Signed-off-by: Joshua Sorah <jsorah@redhat.com> Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
Before reporting an issue
Area
oidc
Describe the bug
Post Logout URIs can be defined in the Admin Console. For "legacy" Keycloak installations when they are migrated, the default value is "+".
As a consumer using a legacy installation that was migrated, I saw "+" in the Post Logout Redirect URI list and assumed it worked much like the Web Origins, where I could add additional values and the "+" list would be expanded and include my additional values. My natural feeling then was to just add my "post logout" URI and keep the "+".
However, in this case, the "+" is treated specially - it must be the first in the list and it does not expand the list of redirect URIs to include any additional added. To my surprise, "+" means that regardless of any other value in the Post Logout Redirect URI list, it will ONLY return the values in the Redirect URIs for the client. This is unexpected behavior compared to other existing features using the "+" nomenclature.
Version
latest 23.x branch
Expected behavior
"+" in Post Logout Redirect URIs is treated similarly to other areas (e.g. Web Origins) where it is expanded and includes any new, distinct entities and that it doesn't matter where in the list of Post Logout Redirect URIs where the "+" is. Additional definitions of "+" should likely be ignored.
For example:
Scenario 1:
Actual behavior
Scenario 1:
Receive Invalid redirect uri page when using the additional post logout redirect URI in an OIDC logout request.
e.g.
http://localhost:8080/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri=https://someother.foo.example.com&client_id=my-client
Scenario 2:
Receive Invalid redirect uri page when using the additional post logout redirect URI in an OIDC logout request.
e.g.
http://localhost:8080/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri=https://someother.foo.example.com&client_id=my-client
How to Reproduce?
my-client
in a realm (e.g.master
), you could just usehttp://localhost:8080
as the initial redirect URI - actual value doesn't matter.+
as a post logout redirect URI to the clienthttps://www.google.com
as a post logout redirect URI to the clienthttp://${HOST_AND_PORT}/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri=https://www.google.com&client_id=my-client
Anything else?
There is likely some history as part of #14884 around the particular decisions in this endpoint, but I don't see a particular reason why "+" could not be expanded and act more similarly to the "Web Origins" behavior.
The "-" behavior would be somewhat ambiguous - I'm not sure if there would be expectation that
-
could be added anywhere in the list to negate any additions, and maybe that should take precedence ?The text was updated successfully, but these errors were encountered: