Content Security Policy directive: "form-action 'self' error

[zynzszyn521]

Hello,

I am using NGINX to deploy Keycloak as an authentication center. When Content Security Policy (CSP) is not set, the login works fine. However, when CSP is configured, I encounter the following error:

auth:1 Refused to send form data to 'https://fuse.xxx.com/auth/realms/master/login-actions/authenticate?session_code=Fjggb8SFpX6uaCkMbePyAt-asMwau0NvWnr3cWYEcLA&execution=a5833fb9-308a-4f1b-a12b-12b84594547d&client_id=fuse.mobile.client&tab_id=8VYUmyB6zIA' because it violates the following Content Security Policy directive: "form-action 'self' https://*.xxx.com https://localhost:5173".

I suspect this issue might be related to the redirectUrl. The URI schema might be interpreted as a URL, causing the CSP check to fail. How should I resolve this? The authentication center itself is fine, as other web applications do not experience this issue.

[MaikuB]

Based on what you shared, my understanding is this more on the setup of your auth server so not able to provide guidance on this. I don't know what you shared (e.g. CSP) means either. When it comes to the redirect URI, the native AppAuth SDKs support having URLs provided you setup things correctly based on each platform requires to process URLs. These requirements are actually set by the native platform not the SDKs. You'll need to do reading on what those are.

I can also see a reference to localhost in the snippet you shared. I don't know what that was meant to represent but note that you shouldn't be setting any redirect URI to be a localhost URL. This is because it'll be a reference to auth server itself