OIDC: Recommended Redirect URI is too open

[danimo]

The documentation recommends to use

https://<GREENLIGHT_HOSTNAME>/*

as the allowed Redirect URI. This is unsafe, as it becomes vulnerable in conjunction with an arbitrary vulnerability. Hence, it is best practise, and indeed required by some OIDC Identity Providers like Entra ID (which will now silently fail on wildcard URIs), to specify the precise list of URLs that may be redirected to. It should thus recommend:

https://<GREENLIGHT_HOSTNAME>/auth/openid_connect/callback

For subdirectory install, the subdirectory (i.e. $GL_PATH) might need to be added:

https://<GREENLIGHT_HOSTNAME>$GL_PATH/auth/openid_connect/callback

But since I don't run a setup with GL_PATH, I can't test it trivially.

[playernine]

I do not have GL_PATH in my .env file, but:
RELATIVE_URL_ROOT=/b

So I changed the allowed Redirect URI to https://<GREENLIGHT_HOSTNAME>/b/auth/openid_connect/callback

The login still works.
We use keycloak as OIDC IDP.