First Last Prev Next    This bug is not in your last search results.
Bug 56814 - The univention-keycloak script creates the webOrigin incorrectly for oidc client
The univention-keycloak script creates the webOrigin incorrectly for oidc client
Status: NEW
Product: UCS
Classification: Unclassified
Component: Keycloak
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-11-09 09:16 CET by J Leadbetter
Modified: 2023-11-09 12:57 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description J Leadbetter univentionstaff 2023-11-09 09:16:07 CET 
The `univention-keycloak` script uses the `valid_redirect_urls` option to set the `webOrigins` of the OIDC client:

```
    valid_redirect_urls = [opt.app_url, server_url] + opt.redirect_uri if opt.redirect_uri else [opt.app_url, server_url]

...

    client_payload_oidc = {
        ...
        "webOrigins": valid_redirect_urls,
        ...
    }
```

However, this creates incorrect entries if the `app_url` or the `redirect_uri` is not the root of the website -- e.g. "http://www.foo.com/some-redirect-page", instead of the expected "http://www.foo.com". A `webOrigin` must always be the root, otherwise CORS won't work correctly.

The code should use a different collection of urls, where it strips out the paths/querystrings of `app_url` and `redirect_uri`.
First Last Prev Next    This bug is not in your last search results.