Enforce that redirect URL should be on the same origin as the app

[jonkoops]

Currently, it is possible for Keycloak JS to be initialized with a redirect URL that is not on the same origin as the application it is being initialized on. This is often used as a redirect mechanism, but can cause unexpected issues, and should be prevented.

See #230

[jonkoops]

Alternatively. This could be an opt-in from the user when configuring Keycloak JS, e.g. allowInsecureRedirect or something along those lines.

[eudamniac]

Hey @jonkoops, I came across this issue on the latest release notes and would just like to outline our authentication flow that might be affected by this:

With our app we follow the best practices posted here (see section "Appendix B. Platform-Specific Implementation Details"), which are satisfied by the @capacitor/browser plugin. (Section 8.12. Embedded User-Agents outlines why embedded web-view based implementations are not ideal, like the InAppBrowser plugin)

We are using now @capacitor/browser as the browsertab plugin which is implemented in the CordovaNativeAdapter in keycloak-js was not maintained anymore at the time of our implementation.

For that to work the redirectUri needs to be a Universal Link / Android App Links for Android or Associated Domain for iOS, which is an "arbitrary" domain we own (e.g. "app.companyName.com"), which would by default be different from the hostname where keycloak-js is initialized.

Potentially, it would be possible to set the hostname to the same domain that we use for the auth redirect to our app on the capacitor configs, but that would go against the recommendation to leave it as localhost for other potential purposes.

So for our implementation having an opt-in at least for allowing different redirects could make a lot of sense.