The POST /auth/oidc/external/authorize and POST /auth/oidc/external/token endpoints currently accept any redirect_uri from the request body and forward it verbatim to the OIDC provider
The OIDC provider is expected to enforce its own redirect_uri allowlist, so this isn't exploitable against a correctly configured IdP. This is an extra change that may reduce the risk of misconfigured IdP servers.
Originally reported privately by @overgrowncarrot1.
The POST /auth/oidc/external/authorize and POST /auth/oidc/external/token endpoints currently accept any redirect_uri from the request body and forward it verbatim to the OIDC provider
The OIDC provider is expected to enforce its own redirect_uri allowlist, so this isn't exploitable against a correctly configured IdP. This is an extra change that may reduce the risk of misconfigured IdP servers.
Originally reported privately by @overgrowncarrot1.