Re: [keycloak-user] 307 redirect issue + OAuth2/OpenID Connect possible vulnerability

Hi, We currently have the following setup: External service --- SAML --> Keycloak --- OpenID Connect --> External IdP When a SP-initiated authentication request is being done to Keycloak by posting a SAML assertion, Keycloak goes through a set of redirect to authenticate the user to the external IdP through OpenID Connect first. The redirects are currently being done using a 307 temporary redirect HTTP code with a Location header. This makes the browser issue a POST request to the external IdP with the SAML assertion which is basically could leak informations. While OpenID Connect allow 302, 303 and 307 as the HTTP code, using anything else than 303 that would transform the request to a GET request seems to be known as an attack vector on the protocol: http://securityaffairs.co/wordpress/43518/digital-id/oauth-2-vulnerabilit... Is there a way to change the HTTP code that is used by Keycloak to issue temporary redirections? Thanks, Gabriel