[keycloak-user] Significant SSL issue: Support for reverse proxies

Juraci Paixão Kröhling juraci at kroehling.de
Fri Jun 13 14:47:54 EDT 2014


On 06/13/2014 02:42 PM, Bill Burke wrote:
> Was the adapter not configured right?  It should be pointed to the 
> auth server's reverse-proxy URL.

Sorry, it seems I was wrong in saying that I had the exact same
problem. The problem wasn't an infinite redirect (I had this problem
earlier, but on my app sending redirects to the /auth).

The problem I had *this time* were in fact two:

- I have a redirect from http to https on nginx, and
Strict-Transport-Security on the https. With this setup, the first
request is always sent to https, and all subsequent requests are
automatically to https. On an out-of-the-box installation, when
hitting the admin console, Keycloak uses a redirect_uri with the
https, which renders an "invalid_uri".

- Manually changing the redirect_uri query parameter to http renders
makes it work, in the sense that I can login as admin/admin and change
the password. After that, I get a blank screen. On Firebug, I see that
Firefox blocks mixed content (ie: javascript from http://localhost
requested from https://localhost). The exact message on the console is:

> Blocked loading mixed active content
"http://192.168.122.202/auth/realms/master/tokens/access/codes"

keycloak.js line 278

Which is the place where I put the breakpoint and found out that the
generated URL is http, even though keycloak.js itself is loaded from
https.

But my setup is as I mentioned earlier: nginx in front of wildfly,
with nginx being the only part caring about SSL. Making the proxy talk
with Wildfly also on SSL makes the problem go away.

- Juca.


More information about the keycloak-user mailing list