request_uri
blocklist and allowlist implemented to enhance securityThe request_uri
Authorization Request parameter enables OpenID Connect requests to be passed by reference, rather than by value (see the spec). However, when implemented as written in the spec, the request_uri
could be used to launch an SSRF (Server-Side Request Forgery) attack against the IDP. To mitigate this risk, we’ve implemented both a request_uri blocklist
and a request_uri allowlist
that are configurable in the Gluu Server OpenID Provider JSON configuration.