Univention Bugzilla – Bug 56814
The univention-keycloak script creates the webOrigin incorrectly for oidc client
Last modified: 2023-11-09 12:57:39 CET
The `univention-keycloak` script uses the `valid_redirect_urls` option to set the `webOrigins` of the OIDC client: ``` valid_redirect_urls = [opt.app_url, server_url] + opt.redirect_uri if opt.redirect_uri else [opt.app_url, server_url] ... client_payload_oidc = { ... "webOrigins": valid_redirect_urls, ... } ``` However, this creates incorrect entries if the `app_url` or the `redirect_uri` is not the root of the website -- e.g. "http://www.foo.com/some-redirect-page", instead of the expected "http://www.foo.com". A `webOrigin` must always be the root, otherwise CORS won't work correctly. The code should use a different collection of urls, where it strips out the paths/querystrings of `app_url` and `redirect_uri`.