Is there any way I can redirect to login page without showing the query string?

jiny · June 24, 2022, 4:42am

Hi,

Currently I’m testing oidc client using java.
I tested (1)java login page > (2)redirect to keycloak login page > (3)user eneters correct ID/PW > (4)redirect to java main page flow.
For the 2nd step, I use “<KEYCLOAK_URL>/…/auth?client_id=…code…” url for reirection.
But users can see the whole query string on the browser url tab.
Is there any way I can hide the query string?

weltonrodrigo · June 24, 2022, 10:46am

I don’t believe there is a way to do the OIDC browser flow without redirecting the user to the url without the query parameters.

If this is a security concern, you should be fine, as this is part of the protocol and deemed secure to be shown.

skathery1985 · June 25, 2022, 12:11am

You can add response_mode=form_post

jiny · June 25, 2022, 12:32am

Thank you for the replies!

Yes, I asked it due to the security concern. Indeed it’s just a part of the authentication, but I want to hide all the info just in case, if it’s possible.

Setting the response mode affects how it returns me the parameters (code, state and session state) after the login, not the login url I redirect to, right?
Still, it’s better to be hidden; I’ll try it!

Cyben · June 25, 2022, 8:03am

Hey,
What is your concern here?
I’m really just curious to hear what are you afraid from.
Either way, even if the params are not sent as query params, as the request it self comes from the browser of the end user, he could see all the params is the devtools.

jiny · June 25, 2022, 9:05am

Oh, I didn’t know that even post parameters can be seen using devtools!
Thank you for letting me know.
Then query form / post form wouldn’t really matter anyway.

weltonrodrigo · June 25, 2022, 1:17pm

Yeah.

You should be fine UNLESS you are yourself setting any sensitive query parameter on the redirect_uri.

If that’s the case (you’ll need to pass some sensitive information from the anonymous part of the app to the secured part), you’ll need a way to share information between those two parts not relying on query parameters.

I advise against storing sensitive information on query params: web application - Should sensitive data ever be passed in the query string? - Information Security Stack Exchange

Note that if you follow the OIDC protocol, you’ll should be fine.

jiny · June 25, 2022, 1:40pm

Great!
I’m following the OIDC protocol, not sending any other custom (sensitive) parameters.
Thank you so much for your help!

Topic		Replies	Views
How to disallow the `query` OIDC response mode? Securing applications oidc	0	526	April 7, 2021
Adding context to oidc authorization code flow on initial request Getting advice oidc	2	378	October 20, 2022
Oidc logout with post_logout_redirect_uri redirects to KeyCloak url Configuring the server client-configuration , oidc	1	4608	January 13, 2021
Support for id_token_hint to avoid login flow again Getting advice oidc	2	1833	February 13, 2021
Direct Link IDP Getting advice	2	548	April 19, 2022

Is there any way I can redirect to login page without showing the query string?

Related Topics