Re: [keycloak-dev] Open Redirect Vulnerability

I don't get the attack, he states that: Now let's assume an attacker: * Registers a new client to the victim.com provider. * Registers a redirect uri like attacker.com. If the attacker can register a client with a redirect uri, how is it then an open redirect?! ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Thursday, April 16, 2015 1:31:17 AM > Subject: Re: [keycloak-dev] Open Redirect Vulnerability > > One more thing... > > We never redirect unless the redirect URI and client id is validated. > > On 4/15/2015 4:57 PM, Pedro Igor Silva wrote: >> Hi, >> >> Is KC considering this vulnerability [1] when performing redirects ? >> Specially for OAuth Clients doing authorization code grant. >> >> Regards. >> >> [1] >> http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o... >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >