Redirect-URI-Sicherheit

Redirect-URIs gegen HTTPS-Enforcement und SSRF-Präventionsregeln validieren.

Anforderungsabdeckung

REQ-REDIRECT-001

Block HTTP (non-HTTPS) redirect URIs

REQ-REDIRECT-002

Block localhost redirect URIs in production

REQ-REDIRECT-003

Block private IP addresses in redirect URIs

REQ-REDIRECT-004

Block fragment (#) in redirect URIs

REQ-REDIRECT-005

Enforce maximum redirect URI length

REQ-REDIRECT-006

Support wildcard patterns in redirect URI whitelist

Testbeispiele

REDIR-001BLOCKIERT

HTTP-Redirect-URI blockiert

Beispiel-Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=code&client_id=myapp&redirect_uri=http://app.example.com/cb&state=abc'

Erwartete Antwort

{"error":"invalid_request","error_description":"HTTP redirect URIs are not allowed (HTTPS required)"}

REDIR-002BLOCKIERT

Localhost-Redirect blockiert

Beispiel-Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=code&client_id=myapp&redirect_uri=https://localhost:3000/cb&state=abc'

Erwartete Antwort

{"error":"invalid_request","error_description":"Localhost redirect URIs are blocked in production"}