OAuth Redirection
Supported on: All Citrix Workspace supported platforms
Description
OAuth Redirection allows configuring URL patterns to allow OAuth logins to be redirected over Bidirectional Content Redirection. -OAuth Pattern : This indicates the list of URL regular expressions that, when redirected to the client via Host-to-Client URL redirection, will be tracked as if an OAuth authentication flow has begun, and when the flow completes that resulting URL will be redirected back into the Host VDA that initiated that flow.. Semi Colon ";" acts as a delimeter. -OAuth Scheme : This indicates the scheme of URLs .If a Scheme is specified, the terminating URL is expected to be of the form: scheme://something. If Scheme is not specified (empty), then the original resulting URL pattern is extracted from the Pattern via a regular expression capture group (must be specified in the Pattern). Semi Colon ";" acts as a delimeter. Note: 1)Number of Patterns and scheme entries should match .If no scheme is specified for pattern just porvide ';' for empty scheme 2)OAuth Redirection works only if BidirectionalContentRedirection is enabled
Registry
Software\Policies\Citrix\ICA Client\OAuth Redirection Value name: AllowOAuthRedirection
Enabled: AllowOAuthRedirection = 1
Disabled: AllowOAuthRedirection = 0
This policy sets several registry values:
URL Protocol citrix-oauth-redir URL Protocol = REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: OAuth Redirection
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\OAuth Redirection]
"AllowOAuthRedirection"=dword:00000001
"Pattern"=""
"Scheme"=""
[HKEY_CURRENT_USER\Software\Classes\citrix-oauth-redir]
"URL Protocol"="" PowerShell
# Exported from gporais.com
# Policy: OAuth Redirection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AllowOAuthRedirection' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'Pattern' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'Scheme' -Value '' -Type String
$path = 'HKCU:\Software\Classes\citrix-oauth-redir'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'URL Protocol' -Value '' -Type String Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: OAuth Redirection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection' -Name 'AllowOAuthRedirection' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Classes\citrix-oauth-redir' -Name 'URL Protocol' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection' -Name 'Pattern' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection' -Name 'Scheme' -Expected '' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: OAuth Redirection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AllowOAuthRedirection' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'Pattern' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'Scheme' -Value '' -Type String
$path = 'HKCU:\Software\Classes\citrix-oauth-redir'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'URL Protocol' -Value '' -Type String SCCM CI
# Exported from gporais.com
# Policy: OAuth Redirection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: OAuth Redirection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection' -Name 'AllowOAuthRedirection' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Classes\citrix-oauth-redir' -Name 'URL Protocol' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection' -Name 'Pattern' -Expected '' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection' -Name 'Scheme' -Expected '' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: OAuth Redirection
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\OAuth Redirection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AllowOAuthRedirection' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'Pattern' -Value '' -Type String
Set-ItemProperty -Path $path -Name 'Scheme' -Value '' -Type String
$path = 'HKCU:\Software\Classes\citrix-oauth-redir'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'URL Protocol' -Value '' -Type String