You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Keycloak's built-in login/account/admin themes inject inline <script> blocks and dynamically load scripts. This requires 'unsafe-inline' in script-src, which defeats the purpose of having a strict CSP.
Is there any supported mechanism in Keycloak 26.x to inject a per-request CSP nonce
into the built-in themes WITHOUT writing a fully custom theme?
Following up here to understand:
Is there any interim workaround available today?
Is nonce support planned for any specific upcoming release?
Is there a simpler extension point (e.g. a SPI or theme hook) that avoids
a full theme rewrite?
Any guidance appreciated. Happy to test solutions.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Keycloak's built-in login/account/admin themes inject inline <script> blocks and dynamically load scripts. This requires 'unsafe-inline' in script-src, which defeats the purpose of having a strict CSP.
Is there any supported mechanism in Keycloak 26.x to inject a per-request CSP nonce
into the built-in themes WITHOUT writing a fully custom theme?
Following up here to understand:
a full theme rewrite?
Any guidance appreciated. Happy to test solutions.
Beta Was this translation helpful? Give feedback.
All reactions