I am new and still learning my way around OIDC, but I am setting up Keycloak for the first time for use with an Angular/.Net API app provided by a third party… so using an adapter is not possible as I don’t control their code.
During setup, I ran into a problem with CORS and tried simply adding the app’s URL to the client’s “Web Origins” field, but that failed. After reading in the docs that the field was only meant for adapters, I thought it was game over, but I then used “+” per the tooltip and it works. The “Valid Redirect URIs” field is simply set to the app’s base URL appended with the wildcard (e.g. http://example.com/approot/*). Based on what I’ve read so far, I believe this is correct and secure, but I wanted to run this by folks with more experience.