[keycloak-user] Remove check for redirect_uri

[Lorenzo Luconi Trombacchi]

Hi,

> Il giorno 11 apr 2019, alle ore 22:57, vasleon <vaslion13 at yahoo.gr> ha scritto:
> 
> Thank you for the clarification between redirects performed during 
> authentication and a post authentication redirect performed by the 
> application.
> I know it is bad to do so. I want to make it vulnerable in purpose so I 
> can show to students how this vulnerability can affect openID connect.
> 
> I am familiarizing with the code from available on github for now and 
> trying to convert it to gradle and put it on intellij.
> 
> Any hint or help on which files need to be edited to achieve this, is 
> very welcome

we already answered to your question (me and Stan Silvert).
You can put a wildcard * in Valid Redirect Uris:

Menu Clients -> “your client” -> Settings tab -> Valid Redirect Uris

Lorenzo



> 
> thank you
> 
> 
> On 11-Apr-19 18:44, John Dennis wrote:
>> On 4/11/19 7:19 AM, vasleon wrote:
>>> Hello everyone
>>> 
>>> it is required to specify a valid redirect_uri for each client in order
>>> for the login form to appear.
>>> 
>>> how could I remove the check that verifies the redirect_uri exists? I
>>> would like to make it possible to be able for an application to redirect
>>> anywhere. ( it is for educational purposes)
>> 
>> DO NOT DO THIS!
>> 
>> It's very bad. There is a reason the OpenID Connect and SAML 
>> specifications *mandate* responses only be returned to known 
>> registered clients.
>> 
>> Also, make sure you understand the difference between redirects 
>> performed during authentication and a post authentication redirect 
>> performed by the application which is not part of the authentication 
>> flow, they are not the same thing.
>> 
>> 
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user