[keycloak-user] Remove check for redirect_uri
vasleon
vaslion13 at yahoo.gr
Thu Apr 11 16:57:59 EDT 2019
Thank you for the clarification between redirects performed during
authentication and a post authentication redirect performed by the
application.
I know it is bad to do so. I want to make it vulnerable in purpose so I
can show to students how this vulnerability can affect openID connect.
I am familiarizing with the code from available on github for now and
trying to convert it to gradle and put it on intellij.
Any hint or help on which files need to be edited to achieve this, is
very welcome
thank you
On 11-Apr-19 18:44, John Dennis wrote:
> On 4/11/19 7:19 AM, vasleon wrote:
>> Hello everyone
>>
>> it is required to specify a valid redirect_uri for each client in order
>> for the login form to appear.
>>
>> how could I remove the check that verifies the redirect_uri exists? I
>> would like to make it possible to be able for an application to redirect
>> anywhere. ( it is for educational purposes)
>
> DO NOT DO THIS!
>
> It's very bad. There is a reason the OpenID Connect and SAML
> specifications *mandate* responses only be returned to known
> registered clients.
>
> Also, make sure you understand the difference between redirects
> performed during authentication and a post authentication redirect
> performed by the application which is not part of the authentication
> flow, they are not the same thing.
>
>
>
More information about the keycloak-user
mailing list