I’d like to ask a few questions about settings I mentioned in title. I already spent some time reading documentation of Keycloak, but it looks like I’m doing mistake somewhere and I’m not able to identify where. So maybe some will be more experienced with Keycloak settings and could help me with it.
1. Valid Redirect URIs
I have one web application - hxxps://wh33zy.website.com with the standard login process taken care of by Keycloak.
It means something like this: hxxp://wh33zy.website.com/auth/realms/wh33zy/protocol/openid-connect/auth?response_type=code&cliend_id=wheezy-webapp&redirect_uri=https://wh33zy.website.com/blahblah[…]
From the security reasons I want to set redirects after successful login and logout only in the context of hxxps://wh33zy.website.com/* so from this reason my Valid Redirect URIs settings in admin console for Client “wheezy-webapp” looks likes this:
Valid Redirect URIs: https://wh33zy.website.com/*
Now, if I will intercept request during login process and replace redirect_uri parameter for https://google.com, request will fail. That’s good. If I will do the same during logout process - logout?redirect_uri=https://google.com I will be redirected to google.com instead of some error.
Why this request will not fail, any ideas? I’d like to eliminate a risk, that someone will be able to redirect user’s to malicious website for example over CSRF.
2. Web Origins
For all available clients, I setup the following Web Origins:
Web Origins: hxxps://wh33zy.website.com
I want to allow access only from trusted domain, but when I will try to send a POST request on the following URL: hxxps://wh33zy.website.com/auth/realms/wh33zy/protocol/openid-connect/token from some ‘third-party’ URL, I will get the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://wh33zy.website.com/auth/realms/wh33zy/protocol/openid-connect/token. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Which is strange, because I’d expect something like:
Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://wh33zy.website.com’
[...] (Reason: CORS request did not succeed)
Do I have to do some next settings in Keycloak.json or somewhere?
3. X-Forwarded-For header and IP spoofing
About this, I didn’t find any information how to fix it with Keycloak. Maybe it’s not Keycloak’s stuff. In short, if I will add X-Forwarded-For header to my request during login process and put there for example value “22.214.171.124” or “X.X.X.X”, I will be successfully logged to the application.
Now, if admin will list all current sessions in admin console, he will see this:
user1 X.X.X.X Sep 11, 2020, 2:00:00 PM
user1 logged from IP X.X.X.X. I can do the same during login process to admin console. When I will click ‘Manage Account’ and list sessions, I will see, that there is one active session in admin-console-account, logged from IP “X.X.X.X”.
Can I somehow replace this measures with some more secure alternatives that are not vulnerable to spoofing? If there is some chance how to reconfigure it, let me please know, because I don’t think, it’s a good idea to have this access control based on X-Forwarded-For header. This also applies to True-Client-IP and X-Real-IP headers.
Thanks a lot, if someone of you will find a time and could give me a hint or at least show me the way, where to improve some configuration or add a value.
Thanks in advance.