Access variables in the "Valid Redirect URIs" instead of domain-name

In the client configuration, is it possible to access the declared “Root URL” in the “Valid Redirect URIs”?

In the “Root URL” field it is possible to use the variable ${authBaseUrl}, but if I want to do something like ${authBaseUrl}/../* in the “Valid Redirect URIs” I get an error: A redirect URI is not a valid URI

Accessing the Root URL would be great because it would reduce problems during e.g.

  • moving the application to different domain
  • deploying same application in different environments / domains

You don’t need to use Root URL at all. You can use absolute URLs in Redirect URIs:

This should cover your mentioned use cases, without any Root URL hacking.

That is what I try to prevent, I don’t want to declare the actual domainname.
Since Keycloak knows it’s domain I would like to use this domain in the “Valid Redirect URIs”.

The “Valid Redirect URIs” I want to end up with is:*
But instead of using a domainname I want to use a variable which makes the whole configuration more flexible for moving and copying:
I would like to declare something like: ${Keycloak-URL}/…/*

Keycloak knows only URI (protocol://domain/path), not a domain. And it looks like you want to have path traversing to bypass that /path.

I would say it will be a security problem if path traversing ../ is allowed in the redirect URI: Path Traversal | OWASP Foundation
I can imagine real attack scenarios, especially when you are running IDP on the same domain as app with wildchar at the end of redirect URI.

The redirect-uri passed from the application could be e.g.
or some other starting with

According to documentation using a wildcard in “Valid Redirect URIs” like* is legit.

What I try to do is to configure a variable in “Valid Redirect URIs” like ${Keycloak-URL}/…/* or some other variable which keycloak will resolve during validating the redirect URL.
So in validation ${Keycloak-URL}/…/* will end up in*.
Nothing to do with “Path Traversal” and according attacks.

In “Root URL” I’m able to use a variable like ${authBaseUrl} but I can’t use it in “Valid Redirect URIs”. So what I’m asking is, is it possible to use other variables or is there another approach?

Hello @flaviodonze did you find any variable or any other approach for your issue?

Hi kir, sorry didn’t find a solution.