Redirect URI Security

Validate redirect URIs against HTTPS enforcement and SSRF prevention rules.

Requirements Coverage

REQ-REDIRECT-001

Block HTTP (non-HTTPS) redirect URIs

REQ-REDIRECT-002

Block localhost redirect URIs in production

REQ-REDIRECT-003

Block private IP addresses in redirect URIs

REQ-REDIRECT-004

Block fragment (#) in redirect URIs

REQ-REDIRECT-005

Enforce maximum redirect URI length

REQ-REDIRECT-006

Support wildcard patterns in redirect URI whitelist

Test Examples

REDIR-001BLOCKED

HTTP redirect URI blocked

Sample Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=code&client_id=myapp&redirect_uri=http://app.example.com/cb&state=abc'

Expected Response

{"error":"invalid_request","error_description":"HTTP redirect URIs are not allowed (HTTPS required)"}

REDIR-002BLOCKED

Localhost redirect blocked

Sample Request

curl 'https://keycloak-alg:8443/realms/myapp/protocol/openid-connect/auth?\
  response_type=code&client_id=myapp&redirect_uri=https://localhost:3000/cb&state=abc'

Expected Response

{"error":"invalid_request","error_description":"Localhost redirect URIs are blocked in production"}