[keycloak-user] Significant SSL issue: Support for reverse proxies
Juraci Paixão Kröhling
juraci at kroehling.de
Fri Jun 13 14:47:54 EDT 2014
On 06/13/2014 02:42 PM, Bill Burke wrote:
> Was the adapter not configured right? It should be pointed to the
> auth server's reverse-proxy URL.
Sorry, it seems I was wrong in saying that I had the exact same
problem. The problem wasn't an infinite redirect (I had this problem
earlier, but on my app sending redirects to the /auth).
The problem I had *this time* were in fact two:
- I have a redirect from http to https on nginx, and
Strict-Transport-Security on the https. With this setup, the first
request is always sent to https, and all subsequent requests are
automatically to https. On an out-of-the-box installation, when
hitting the admin console, Keycloak uses a redirect_uri with the
https, which renders an "invalid_uri".
- Manually changing the redirect_uri query parameter to http renders
makes it work, in the sense that I can login as admin/admin and change
the password. After that, I get a blank screen. On Firebug, I see that
requested from https://localhost). The exact message on the console is:
> Blocked loading mixed active content
keycloak.js line 278
Which is the place where I put the breakpoint and found out that the
generated URL is http, even though keycloak.js itself is loaded from
But my setup is as I mentioned earlier: nginx in front of wildfly,
with nginx being the only part caring about SSL. Making the proxy talk
with Wildfly also on SSL makes the problem go away.
More information about the keycloak-user