Maria Pavlova
Reputation: 31
Logout endpoint allows redirection to an arbitrary url in Keycloak
Since there is no clientId in the logout request, it's not possible to validate the URL against the client's list of Valid Redirect URIs, thus allowing redirection to an arbitrary URL: https://idserver/auth/realms/realm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fattackers.website
Is there a workaround for this issue or does it have to be a code fix? Thank you.
Upvotes: 3
Views: 21847
Answers (1)
ahus1
Reputation: 5932
You can (and should) register "Valid Redirect URIs" for each client in the realm. If you don't and specify i.e. "*" to allow any URL, exactly the thing you describe will happen.
Try it the logout with the realm "master" (with the initial configuration): You'll get the error message "Invalid redirect uri".
Upvotes: 16
Related Questions
- Logout user via Keycloak REST API doesn't work
- Keycloak 18.0.2 get id_token_hint for logout url by the API call
- keycloak: using react user can login but when I try logout I get a message "Invalid parameter: redirect_uri"
- Keycloak 20.0.1 not logging out after calling logout endpoint
- Change redirect_uri when logout from Keycloak account page
- Keycloak not logging out the Identity provider after calling the /logout endpoint
- keycloak logout doesn't invalidate token when call a rest api
- Keycloak CORS issue on logout redirect
- Keycloak logout request does not log out user
- How to use the keycloak admin-url for OpenID logout requests