Thanks to visit codestin.com
Credit goes to github.com

Skip to content

SecureClientUrisExecutor doesn't allow for "+" weborigin #45587

New issue
New issue
Closed
bug
#46082
Closed
SecureClientUrisExecutor doesn't allow for "+" weborigin#45587
bug
#46082
Assignees
msdaly200
Labels
area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/normalrelease/26.6.0status/auto-bumpstatus/auto-expireteam/core-clients
@ahus1

Description

@ahus1
ahus1
opened on Jan 19, 2026

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

When adding a secure-client-uris policy check, this does not allow a Web Origins setting of + even though those URLs are secure.

Version

main

Regression

  • The issue is a regression

Expected behavior

A + should be accepted if the rootUrl and redirectUris are secure.

Actual behavior

A + leads to a validation error in the frontend:

Invalid webOrigins

How to Reproduce?

  • Create a client policy that contains secure-client-uris
  • Enter + in the WebOrigins

Anything else?

The problematic code is somewhere about here:

keycloak/services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.java

Lines 106 to 108 in a2c1055

// web origins
List<String> webOrigins = clientRep.getWebOrigins();
if (webOrigins != null) confirmSecureUris(webOrigins, "webOrigins");

The WebOrigins are usually resolved as shown here:

keycloak/services/src/main/java/org/keycloak/protocol/oidc/utils/WebOriginsUtils.java

Lines 39 to 46 in a2c1055

if (origins.contains(INCLUDE_REDIRECTS)) {
origins.remove(INCLUDE_REDIRECTS);
for (String redirectUri : RedirectUtils.resolveValidRedirects(session, client.getRootUrl(), client.getRedirectUris())) {
if (redirectUri.startsWith("http://") || redirectUri.startsWith("https://")) {
origins.add(UriUtils.getOrigin(redirectUri));
}
}
}

Metadata

Metadata

Assignees

Labels

area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/normalrelease/26.6.0status/auto-bumpstatus/auto-expireteam/core-clients

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions