I have multiple proxmox PVE & PBS server, and though they are on 3 domains, each has a different hostname, but all on https:// port 8006
Adding each FQDN with the port 8006 (or 8007 for PBS) in the list of Valid Redirect URLs, it does become quite painful to add like 20 entries that is changing - defeats the purpose of a SSO
How else should I configure these hosts and not have a plethora of valid redirect URIs ?
Having wildcards and/or regex in redirect uris might lead to attack vectors. Security is not about convenience for administrators.
In the next version of OAuth, version 2.1, configured redirect uris in the authorization server MUST be compared using exact string matching, because of reasons. There won’t be any wildcards/regex anymore.
yeah, common sense vs idiots, and you’ll have to protect idiots without common sense against themselves ;(
Correctly configured, it’ll be easy and secure, but I don’t disagree about those that can’t think through the security when it’s “just allowed”
Thanks for the 2.1 draft clarification, though I do know and can accept the risks in my situation, others cant and will messed it up ;(
Seems you are doing a ‘uncommon’ setup anyway, as each target client should use its own client in keycloak, so you would have only one valid redirect URL there anyway. SSO happens on the realm level, so if logged in to the realm once, all clients are logged in.While 20 seems a small number ( and I would expect that to not change too often), you could always use the API to script client creation.
Uncommon for a small sysadmin team to manage multiple clusters and servers in a trusted DNS environment?
When I add a node to the PVE cluster, it gets the cluster’s realm in formation, so it’s the same realm client for the whole cluster. The problem now is that I need to either add each member of the cluster (yeah yeah I hear API and that is a developer solution, not a SysAdmin solution, but I hear and understand your p.o.v.) to the validURI list, and adding a new server now needs to be a specific task, which I hear API again, but it’s the same cluster, the same (sub)domain, just another hostname (and here I’m in full control of the (sub)domain which I trust) just an extra hostname on a specified port for all.
Q: Would the new host be able to use the normal OIDC endpoints and client key for that self registration/validRedictURI update? If not, then it’s not going to assist me in automating from my sysAdmin perspective
Any case. I see the reasonings, and believe I’m trying to fit a SysAdmin problem in a Developers environment, and no DevOps in this case is failing me, thus THAT IS NOT A REFLECTION ON THE PROJECT, just my own requirements being a mismatch 
Thank you for answering, but I also found other reasons Keycloak will not be a good fit for my case, but rather a pure LDAP solution (groups and PVE as example)