Content Security Policy
To use the default template pages to start an OIDC authentication flow, the Content Security Policy must permit the OIDC Provider host.
A secure Content Security Policy prevents clients from submitting forms to arbitrary hosts. The
default policy that is provided by the Reverse Proxy allows forms to be posted to
self only.
To ensure that the OIDC authentication flow can be completed with the default template pages, the
form-action directive must be updated to permit the OIDC provider host.
For example, to permit the host
myoidcprovider.com, update the default Content
Security Policy in the Reverse Proxy configuration file to include the host:
[acnt-mgt]
http-rsp-header = content-security-policy:TEXT{default-src 'self'; frame-ancestors 'self'; form-action 'self' https://myoidcprovider.com;}