Keycloak documentation PR : https://github.com/keycloak/keycloak-documentation/pull/1270/files
Merged with related PR into this PR.
You could see previous discussion in the merged PR.

Our goal was to do no database changes. However, for logo_uri some SAML clients use data:image and the logo_uri length is over 4000 characters. Current database length for VALUE field of CLIENT_ATTRIBUTES is insufficient.
We believe that we should create a new field in ClientEntity for logo_uri with text format or make VALUE field clob. What do you believe?

@cgeorgilakis I don't think we can change the column to a CLOB. I remember @hmlnarik being against that a long time ago.

A separate field sounds too much for me.

Aren't these URLs too big? Any chance you can try to have them shorter and fit the size?

@mposolda I think this one is a nice improvement to consent. Are you able to check if anything else is missing?

@cgeorgilakis I don't think we can change the column to a CLOB. I remember @hmlnarik being against that a long time ago.

A separate field sounds too much for me.

Aren't these URLs too big? Any chance you can try to have them shorter and fit the size?

I agree with @hmlnarik, because Keycloak use CLIENT_ATTRIBUTES for many client attributes.

These is configuration in some existing SAML client( in edugain f.e.) . I can not change them.

Examples url can be found in edugain metadata. md:SPSSODescriptor is for SAML clients. For example see SP with entityId = https://ssotest.sifulan.my/shibboleth.

If this is a blocking issue for accepting PR for you, could you accept it without any db change and propose a solution for our case ( maybe other Keycloak users)?

@cgeorgilakis In general it is LGTM, mainly the OIDC related changes. We also need some feedback from @ssilvert (new console changes) and @hmlnarik (SAML).

One thing I'm wondering is whether it makes sense to add this for SAML too? Or at least include now the OIDC related changes (which are backed by specs) and deal with SAML in a subsequent PR, if necessary?

Our main use case and goal is OIDC clients. However, SAML clients exist also and changes is strain forward to be added. The only problem is related to SAML logoUri ( see my other comments).

Another thing, is there anything else we can do to avoid XSS/CSRF when rendering those URLs? For instance, bad admins should be able to exploit sites vulnerable to CSRF (e.g.: in images). Not sure if we need to worry about that or if there is anything else we can do help to mitigate this.

I do not know about it. How do you deal with it in other client URIs? I use same check method except from logoUri.

About missing/tests, my problem is that the changes is in consent (ui). How do you test other consent components?

@cgeorgilakis W.r.t. SAML, not so straightforward if compared to the OIDC code you had to change :) Plus the tests we also need to add to SAML.

Another point I have on this one is that consent is probably more related to OIDC? I mean, that is what our community is most interested about?

W.r.t. to tests, here is an example

@cgeorgilakis W.r.t. SAML, not so straightforward if compared to the OIDC code you had to change :) Plus the tests we also need to add to SAML.

Another point I have on this one is that consent is probably more related to OIDC? I mean, that is what our community is most interested about?

Sure. If you ensist, I can seperate two PRs. Keep this one for OIDC and make another for SAML after this has been approved.

I have also added tests for OIDC. Thanks.