Hi,
Il giorno 11 apr 2019, alle ore 22:57, vasleon
<vaslion13(a)yahoo.gr> ha scritto:
Thank you for the clarification between redirects performed during
authentication and a post authentication redirect performed by the
application.
I know it is bad to do so. I want to make it vulnerable in purpose so I
can show to students how this vulnerability can affect openID connect.
I am familiarizing with the code from available on github for now and
trying to convert it to gradle and put it on intellij.
Any hint or help on which files need to be edited to achieve this, is
very welcome
we already answered to your question (me and Stan Silvert).
You can put a wildcard * in Valid Redirect Uris:
Menu Clients -> “your client” -> Settings tab -> Valid Redirect Uris
Lorenzo
thank you
On 11-Apr-19 18:44, John Dennis wrote:
> On 4/11/19 7:19 AM, vasleon wrote:
>> Hello everyone
>>
>> it is required to specify a valid redirect_uri for each client in order
>> for the login form to appear.
>>
>> how could I remove the check that verifies the redirect_uri exists? I
>> would like to make it possible to be able for an application to redirect
>> anywhere. ( it is for educational purposes)
>
> DO NOT DO THIS!
>
> It's very bad. There is a reason the OpenID Connect and SAML
> specifications *mandate* responses only be returned to known
> registered clients.
>
> Also, make sure you understand the difference between redirects
> performed during authentication and a post authentication redirect
> performed by the application which is not part of the authentication
> flow, they are not the same thing.
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user