CVE-2023-6291 keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (#57)

* Remove lowercase for the hostname as recommended/advised by OAuth spec
Closes https://github.com/keycloak/keycloak/issues/25001

Signed-off-by: rmartinc <rmartinc@redhat.com>

* Strip off user-info from redirect URI when validating using wildcard
Closes https://issues.redhat.com/browse/RHBK-679

Signed-off-by: rmartinc <rmartinc@redhat.com>

---------

Signed-off-by: rmartinc <rmartinc@redhat.com>

docs/documentation/upgrading/topics/keycloak/changes-22_0_7.adoc

@@ -0,0 +1,7 @@
+= Valid redirect URIs for clients are always compared with exact string matching
+
+Version 1.8.0 introduced a lower-case for the hostname and scheme when comparing a redirect URI with the specified valid redirects for a client. Unfortunately it did not fully work in all the protocols, and, for example, the host was lower-cased for `http` but not for `https`. As https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-protecting-redirect-based-f[OAuth 2.0 Security Best Current Practice] advises to compare URIs using exact string matching, {project_name} will follow the recommendation and for now on valid redirects are compared with exact case even for the hostname and scheme.
+
+For realms relying on the old behavior, the valid redirect URIs for their clients should now hold separate entries for each URI that should be recognized by the server.
+
+Although it introduces more steps and verbosity when configuring clients, the new behavior enables more secure deployments as pattern-based checks are frequently the cause of security issues. Not only due to how they are implemented but also how they are configured.

docs/documentation/upgrading/topics/keycloak/changes.adoc

@@ -1,5 +1,9 @@
 == Migration Changes
 
+=== Migrating to 22.0.7
+
+include::changes-22_0_7.adoc[leveloffset=3]
+
 === Migrating to 22.0.4
 
 include::changes-22_0_4.adoc[leveloffset=3]