[keycloak-user] Remove check for redirect_uri
John Dennis
jdennis at redhat.com
Thu Apr 11 12:44:05 EDT 2019
On 4/11/19 7:19 AM, vasleon wrote:
> Hello everyone
>
> it is required to specify a valid redirect_uri for each client in order
> for the login form to appear.
>
> how could I remove the check that verifies the redirect_uri exists? I
> would like to make it possible to be able for an application to redirect
> anywhere. ( it is for educational purposes)
DO NOT DO THIS!
It's very bad. There is a reason the OpenID Connect and SAML
specifications *mandate* responses only be returned to known registered
clients.
Also, make sure you understand the difference between redirects
performed during authentication and a post authentication redirect
performed by the application which is not part of the authentication
flow, they are not the same thing.
--
John Dennis
More information about the keycloak-user
mailing list