greenlight icon indicating copy to clipboard operation
greenlight copied to clipboard
verified publisher icon bigbluebutton

OIDC: Recommended Redirect URI is too open

Open danimo opened this issue 2 months ago • 1 comments

The documentation recommends to use

https://<GREENLIGHT_HOSTNAME>/*

as the allowed Redirect URI. This is unsafe, as it becomes vulnerable in conjunction with an arbitrary vulnerability. Hence, it is best practise, and indeed required by some OIDC Identity Providers like Entra ID (which will now silently fail on wildcard URIs), to specify the precise list of URLs that may be redirected to. It should thus recommend:

https://<GREENLIGHT_HOSTNAME>/auth/openid_connect/callback

For subdirectory install, the subdirectory (i.e. $GL_PATH) might need to be added:

https://<GREENLIGHT_HOSTNAME>$GL_PATH/auth/openid_connect/callback

But since I don't run a setup with GL_PATH, I can't test it trivially.

danimo avatar Nov 07 '25 14:11 danimo

I do not have GL_PATH in my .env file, but: RELATIVE_URL_ROOT=/b

So I changed the allowed Redirect URI to https://<GREENLIGHT_HOSTNAME>/b/auth/openid_connect/callback

The login still works. We use keycloak as OIDC IDP.

playernine avatar Nov 07 '25 16:11 playernine