Package org.keycloak.protocol.oidc.utils

Class ClientHostUtils

java.lang.Object

org.keycloak.protocol.oidc.utils.ClientHostUtils

public class ClientHostUtils
extends Object

Utility class for validating client host values against a client's registered URLs. Used to prevent SSRF attacks by ensuring that dynamic host values (like client_session_host) only reference hosts that are already configured and trusted for the client. Resolves [CVE-2026-4874] Server-Side Request Forgery via OIDC token endpoint

Constructor Summary

Constructors

Constructor	Description
ClientHostUtils()

Method Summary

Modifier and Type	Method	Description
static boolean	isHostAllowedForClient(String hostname, ClientModel client, KeycloakSession session)	Validates that a hostname matches one of the client's registered nodes or the management URL/Admin URL.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ClientHostUtils

public ClientHostUtils()

Method Details

isHostAllowedForClient

public static boolean isHostAllowedForClient(String hostname,
 ClientModel client,
 KeycloakSession session)

Validates that a hostname matches one of the client's registered nodes or the management URL/Admin URL. This validation prevents SSRF attacks by ensuring that [1] only hostnames within the Management/Admin URL can be used. [2] hostnames matching registered clustered nodes can be used.

Parameters:

hostname - the hostname to validate

client - the client model containing registered URLs

session - the Keycloak session for URL resolution

Returns:

true if the hostname matches a registered client URL, false otherwise