6:19 a.m.
Hello everyone
it is required to specify a valid redirect_uri for each client in order
for the login form to appear.
how could I remove the check that verifies the redirect_uri exists? I
would like to make it possible to be able for an application to redirect
anywhere. ( it is for educational purposes)
thank you
6:50 a.m.
Hello,
I think you can use the wildcard * to rederict anywhere.
Lorenzo
Il giorno 11 apr 2019, alle ore 13:19, vasleon
<vaslion13(a)yahoo.gr> ha scritto:
Hello everyone
it is required to specify a valid redirect_uri for each client in order
for the login form to appear.
how could I remove the check that verifies the redirect_uri exists? I
would like to make it possible to be able for an application to redirect
anywhere. ( it is for educational purposes)
thank you
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:10 a.m.
On 4/11/2019 7:50 AM, Lorenzo Luconi Trombacchi wrote:
Hello,
I think you can use the wildcard * to rederict anywhere.
Lorenzo
That is correct. Details are in the admin console help text for Clients
--> client_name --> Settings --> Valid Redirect URIs
> Il giorno 11 apr 2019, alle ore 13:19, vasleon <vaslion13(a)yahoo.gr> ha
scritto:
>
> Hello everyone
>
> it is required to specify a valid redirect_uri for each client in order
> for the login form to appear.
>
> how could I remove the check that verifies the redirect_uri exists? I
> would like to make it possible to be able for an application to redirect
> anywhere. ( it is for educational purposes)
>
> thank you
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:44 a.m.
On 4/11/19 7:19 AM, vasleon wrote:
Hello everyone
it is required to specify a valid redirect_uri for each client in order
for the login form to appear.
how could I remove the check that verifies the redirect_uri exists? I
would like to make it possible to be able for an application to redirect
anywhere. ( it is for educational purposes)
DO NOT DO THIS!
It's very bad. There is a reason the OpenID Connect and SAML
specifications *mandate* responses only be returned to known registered
clients.
Also, make sure you understand the difference between redirects
performed during authentication and a post authentication redirect
performed by the application which is not part of the authentication
flow, they are not the same thing.
--
John Dennis
3:57 p.m.
Thank you for the clarification between redirects performed during
authentication and a post authentication redirect performed by the
application.
I know it is bad to do so. I want to make it vulnerable in purpose so I
can show to students how this vulnerability can affect openID connect.
I am familiarizing with the code from available on github for now and
trying to convert it to gradle and put it on intellij.
Any hint or help on which files need to be edited to achieve this, is
very welcome
thank you
On 11-Apr-19 18:44, John Dennis wrote:
On 4/11/19 7:19 AM, vasleon wrote:
> Hello everyone
>
> it is required to specify a valid redirect_uri for each client in order
> for the login form to appear.
>
> how could I remove the check that verifies the redirect_uri exists? I
> would like to make it possible to be able for an application to redirect
> anywhere. ( it is for educational purposes)
DO NOT DO THIS!
It's very bad. There is a reason the OpenID Connect and SAML
specifications *mandate* responses only be returned to known
registered clients.
Also, make sure you understand the difference between redirects
performed during authentication and a post authentication redirect
performed by the application which is not part of the authentication
flow, they are not the same thing.
2:11 a.m.
Hi,
Il giorno 11 apr 2019, alle ore 22:57, vasleon
<vaslion13(a)yahoo.gr> ha scritto:
Thank you for the clarification between redirects performed during
authentication and a post authentication redirect performed by the
application.
I know it is bad to do so. I want to make it vulnerable in purpose so I
can show to students how this vulnerability can affect openID connect.
I am familiarizing with the code from available on github for now and
trying to convert it to gradle and put it on intellij.
Any hint or help on which files need to be edited to achieve this, is
very welcome
we already answered to your question (me and Stan Silvert).
You can put a wildcard * in Valid Redirect Uris:
Menu Clients -> “your client” -> Settings tab -> Valid Redirect Uris
Lorenzo
thank you
On 11-Apr-19 18:44, John Dennis wrote:
> On 4/11/19 7:19 AM, vasleon wrote:
>> Hello everyone
>>
>> it is required to specify a valid redirect_uri for each client in order
>> for the login form to appear.
>>
>> how could I remove the check that verifies the redirect_uri exists? I
>> would like to make it possible to be able for an application to redirect
>> anywhere. ( it is for educational purposes)
>
> DO NOT DO THIS!
>
> It's very bad. There is a reason the OpenID Connect and SAML
> specifications *mandate* responses only be returned to known
> registered clients.
>
> Also, make sure you understand the difference between redirects
> performed during authentication and a post authentication redirect
> performed by the application which is not part of the authentication
> flow, they are not the same thing.
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2072
days inactive
2073
days old
5 comments
4 participants
participants (4)
-
John Dennis -
Lorenzo Luconi Trombacchi -
Stan Silvert -
vasleon