This information is intended for system administrators of DRACOON environments where OpenID Connect is already used for login. For these environments, the existing DRACOON settings have to be adjusted in the OpenID provider configuration: An additional redirect URI needs to be added.
What is a redirect URI?
When using OpenID Connect, so-called redirect URIs are used. Redirect URIs are provided by applications that support OpenID Connect, such as DRACOON. Redirect URIs serve as a communication interface between the OpenID provider (IDP), which does the user authentication, and the target application (e.g. DRACOON), which performs the subsequent user authorization.
The respective OpenID provider must be aware of all required redirect URIs of the applications connected via OpenID Connect so that it can call the redirect URIs after each successful user authentication and thus the subsequent login to the respective application is possible using the token transferred in the redirect URI.
What are the changes in DRACOON regarding the redirect URI?
The redirect URI of DRACOON is currently /oauth/perform-login.
In the future, /oauth/openid-callback will be used as redirect URI instead.
For DRACOON cloud users the change will be effective this summer 2020 (exact date will be provided), for on-premises users with the next LTS release of DRACOON.
Example: If your environment hosted on the DRACOON cloud can be reached at
https://dracoon.company.com, the redirect URI for this is currently
https://dracoon.company.com/oauth/perform-login. As of August 1st, the redirect URI would be changed to
What needs to be done?
If your users sign in to DRACOON using OpenID Connect, you have to add the new redirect URI /oauth/openid-callback in the configuration of your OpenID provider for DRACOON, so that signing in to DRACOON continues to work after August 1st (on the DRACOON cloud) or after the next LTS release (for on-premises users), respectively.
Can the existing redirect URI simply be replaced with the new one?
No, because the previous redirect URI /oauth/perform-login is still needed for a transitional period. As a result, you should add the new redirect URI /oauth/openid-callback in the configuration of your OpenID provider for DRACOON and keep the current entry /oauth/perform-login until further notice.
Where exactly must the new redirect URI be specified?
The new redirect URI must be specified in the configuration application of your OpenID provider (e.g. Keycloak or Azure Active Directory) for the "DRACOON" application in addition to the current entry.
- Sign in to the Keycloak configuration application.
- In the navigation pane, click Clients.
- In the table of clients, click Edit next to the DRACOON entry.
- On the Settings tab, under Valid RedirectURIs, add the new redirect URI /oauth/openid-callback in the empty text box below the existing entries (enter the complete URL including https://), and click the plus button on the right.
- Sign in to the Azure portal.
- In the left navigation bar, click Azure Active Directory.
- Click App registrations.
- In the table of apps, click the entry for DRACOON.
- On the App Overview page, click Authentication.
- Under Redirect URIs, add the new redirect URI /oauth/openid-callback in the empty text box below the existing entries (enter the complete URL including https:// etc.),
Do settings have to be changed in DRACOON as well?
No, the redirect URI change must only be made in the configuration of the OpenID provider—no configuration changes are required in DRACOON itself.
How can I get help or support?
If you have any questions or need assistance regarding this chance, contact DRACOON support.