keycloak-scim/docs/documentation/release_notes/topics/21_1_2.adoc

= Changes in validating schemes for valid redirect URIs

If an application client is using non http(s) custom schemes, from now on the validation requires that a valid redirect pattern explicitly allows that scheme. Example patterns for allowing `custom` scheme are `custom:/test`, `custom:/test/\*` or `custom:*`. For security reasons a general pattern like `*` does not cover them anymore.
Check the redirect URI is http(s) when used for a form Post (#22) Closes https://github.com/keycloak/security/issues/22 Co-authored-by: Stian Thorgersen <stianst@gmail.com> Signed-off-by: Peter Skopek <pskopek@redhat.com> 2023-06-01 11:54:47 +00:00			`= Changes in validating schemes for valid redirect URIs`

			If an application client is using non http(s) custom schemes, from now on the validation requires that a valid redirect pattern explicitly allows that scheme. Example patterns for allowing `custom` scheme are `custom:/test`, `custom:/test/\` or `custom:`. For security reasons a general pattern like `*` does not cover them anymore.