Re: [keycloak-user] Remove check for redirect_uri
Thank you for the clarification between redirects performed during
authentication and a post authentication redirect performed by the
application.
I know it is bad to do so. I want to make it vulnerable in purpose so I
can show to students how this vulnerability can affect openID connect.
I am familiarizing with the code from available on github for now and
trying to convert it to gradle and put it on intellij.
Any hint or help on which files need to be edited to achieve this, is
very welcome
thank you
On 11-Apr-19 18:44, John Dennis wrote:
On 4/11/19 7:19 AM, vasleon wrote:
> Hello everyone
>
> it is required to specify a valid redirect_uri for each client in order
> for the login form to appear.
>
> how could I remove the check that verifies the redirect_uri exists? I
> would like to make it possible to be able for an application to redirect
> anywhere. ( it is for educational purposes)
DO NOT DO THIS!
It's very bad. There is a reason the OpenID Connect and SAML
specifications *mandate* responses only be returned to known
registered clients.
Also, make sure you understand the difference between redirects
performed during authentication and a post authentication redirect
performed by the application which is not part of the authentication
flow, they are not the same thing.