Access variables in the "Valid Redirect URIs" instead of domain-name

1

In the client configuration, is it possible to access the declared “Root URL” in the “Valid Redirect URIs”?

In the “Root URL” field it is possible to use the variable ${authBaseUrl}, but if I want to do something like ${authBaseUrl}/../* in the “Valid Redirect URIs” I get an error: A redirect URI is not a valid URI

Accessing the Root URL would be great because it would reduce problems during e.g.

  • moving the application to different domain
  • deploying same application in different environments / domains
2

You don’t need to use Root URL at all. You can use absolute URLs in Redirect URIs:

image
image2040×269 14.8 KB

This should cover your mentioned use cases, without any Root URL hacking.

3

That is what I try to prevent, I don’t want to declare the actual domainname.
Since Keycloak knows it’s domain I would like to use this domain in the “Valid Redirect URIs”.

Example:
Keycloak: https://example.com/auth
Application: https://example.com
The “Valid Redirect URIs” I want to end up with is: https://example.com/*
But instead of using a domainname I want to use a variable which makes the whole configuration more flexible for moving and copying:
I would like to declare something like: ${Keycloak-URL}/…/*

4

Keycloak knows only URI (protocol://domain/path), not a domain. And it looks like you want to have path traversing to bypass that /path.

I would say it will be a security problem if path traversing ../ is allowed in the redirect URI: Path Traversal | OWASP Foundation
I can imagine real attack scenarios, especially when you are running IDP on the same domain as app with wildchar at the end of redirect URI.

5

The redirect-uri passed from the application could be e.g.
redirect_uri=https://example.com/sso/login
or
redirect_uri=https://example.com/login
or some other starting with
https://example.com/

According to documentation using a wildcard in “Valid Redirect URIs” like https://example.com/* is legit.

What I try to do is to configure a variable in “Valid Redirect URIs” like ${Keycloak-URL}/…/* or some other variable which keycloak will resolve during validating the redirect URL.
So in validation ${Keycloak-URL}/…/* will end up in https://example.com/*.
Nothing to do with “Path Traversal” and according attacks.

In “Root URL” I’m able to use a variable like ${authBaseUrl} but I can’t use it in “Valid Redirect URIs”. So what I’m asking is, is it possible to use other variables or is there another approach?

6

Hello @flaviodonze did you find any variable or any other approach for your issue?

7

Hi kir, sorry didn’t find a solution.