[keycloak-user] Are relative redirect URIs supported?

Stian Thorgersen sthorger at redhat.com
Tue Nov 24 03:12:09 EST 2015 

You can use '*' to make it valid for all redirect URIs. Make sure you don't
do that in production though. Especially if you are using public clients
(html5 apps, etc..), in those cases the redirect uri is the main safe guard
that prevents malicious applications logging in.

On 23 November 2015 at 21:26, Håvard Wigtil <haavard.wigtil at kantega.no>
wrote:

> I'm not sure that I'm asking the right question yet, so I'll try again.
>
> We have Keycloak installed on keycloak.my.lan. We're running development
> on several developer PCs, which we access by their public IP because we
> test on several devices against our local development environment. So my
> application is hosted on 192.168.1.2 at the moment, my colleague is
> running her version of the same application at 192.168.1.4, and our IPs
> may change the next day.
>
> If I configure the client "myclient" in the "Clients" section in
> Keycloak admin console with a "Valid redirect URI" of
> "http://192.168.1.2:3000/app/login" then login works. If I change this
> to only "/app/login" then I am presented with the error "We're sorry...
> Invalid parameter: redirect_uri" from Keycloak before I get a chance to
> enter my credentials.
>
> The URL from my application in both cases is the URL below, so the
> redirect URI as sent from the application is always absolute:
>
> https://keycloak.my.lan/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2F192.168.1.2:3000%2Fapp%2Flogin&state=3525097d-e0f8-4013-890f-08fba8439412&response_type=code
>
> I left out the last relevant part of the help message (for brevity) in
> my first mail. In addition to "Relative path can be specified too, i.e.
> /my/relative/path/*" it also says "Relative paths will generate a
> redirect URI using the request's host and port". My reading of those two
> sentences together lead me to believe that I could leave out the
>
> So my real question is: Is it possible to set a single "Valid redirect
> URI" in Keycloak console for my app that will work when the app is
> served from either http://192.168.1.2/app or http://192.168.1.4/app and
> possibly many similar URIs? Or do I have to specify every possible URI
> that my app could be served from under "Valid redirect URIs"?
>
>    Håvard
>
> Den 23. nov. 2015 20:19, skrev Bill Burke:
> > A relative URI *will not* be accepted if it is passed as a query
> > parameter when a client is requesting a code.  An absolute URI *MUST BE*
> > sent via the redirect_uri query parameter.  For admin console config, if
> > you put in relative path in your valid redirect URIs, it uses the
> > host/port of the auth server.  A bunch of the demos work that way.  So,
> > if you host the auth server on mydomain.com,
> > https://localhost/my/relative/path will match and
> > https://mydomain.com/my/relative/path will work too.  Make sense?
> >
> >
> >
> > On 11/23/2015 2:00 PM, Håvard Wigtil wrote:
> >> I'm trying to get a relative (i.e. path only with no host) redirect URI
> >> for a Keycloak client to work. My client works with full host and path,
> >> but if I remove the host part I get an illegal parameter error.
> >>
> >> The inline help bubble has the following sentence: "Relative path can be
> >> specified too, i.e. /my/relative/path/*."
> >> So as far as I can tell, it should work according to the help message.
> >> As I was trying to find out more about this I came across Jira issue
> >> KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth
> >> 2.0 spec. If I'm reading the spec correctly the redirect *must* be
> >> absolute to be conformant with the spec.
> >>
> >> Is the inline help wrong, or is it something here that I don't get?
> >>
> >>      Håvard
> >>
> >>
> >> [1] https://issues.jboss.org/browse/KEYCLOAK-8
> >> [2] https://tools.ietf.org/html/rfc6749#section-3.1.2
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
>
> --
> Håvard Wigtil
> arkitekt og utvikler, Kantega AS
> tlf. +47 9384 6468
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151124/d77def03/attachment.html

More information about the keycloak-user mailing list