[keycloak-user] Reverse Proxy - SSL Termination - Invalid parameter: redirect uri

Derek Visch derek.visch at gmail.com
Mon Aug 1 16:58:41 EDT 2016 

Ended up figuring this out, just to save whatever poor soul has to go down
the same/similar path here's what I did. I'm curious why I didn't get any
errors when running keycloak with debug logging turned on as this must be
some kind of host re-write problem with wildfly/keycloak.

First the only configuration I had to set in standalone.xml was (I removed
all the other custom configurations I had in place the rest is the vanilla
standalone.xml )
<http-listener name="http-default" socket-binding="http"
redirect-socket="https" proxy-address-forwarding="true"/>

Wildfly10 Docs for this:
https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration

Nginx configuration:

server {
  listen 80;
  server_name keycloak_testing.leveldatadevelopment.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name keycloak_testing.leveldatadevelopment.com;

  ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt;
  ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key;

  location / {
    proxy_set_header        *Host $host*;
    proxy_set_header        X-Real-IP $remote_addr; #*Not sure this is
needed for wildfly/keycloak*
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;

    proxy_pass http://0.0.0.0:8080;
  }
}


Note the Host different, with Host $host:$server_port; I receive a white
page when logging into the admin URL. *Why would this happen*? Only mention
of the host header I could find in the wildFly documentation is
https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration


Also to get past the invalid_redirect_uri issue,


   1. Run keycloak locally
   2. Go to the Clients settings in the Master Realm
   3. Click edit on the security-admin-console client id (You may also have
   to do this with the account client ID I'm not certain)
   4. Add valid redirect URI's for your new domain, for example
   https://website.com/* (Docs tell you to be as limited as possible with
   these so in production limit down your redirect URI's as much as possible)

Hope this helps someone in the future! What do you think? Should this be
added to the documentation somewhere or should some kind of error be thrown
in this circumstance? I'm not certain if it's Wildfly or keycloak causing
this to happen I didn't dig quite hard enough to find out :(





On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch <derek.visch at gmail.com> wrote:

> Trying to setup reverse SSL for keycloak. Having issues finding
> documentation about this, it's mentioned in
> https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html
> but the extra detail that's supposed to be in
> https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could
> not find in regards to reverse SSL proxys.
>
> Regardless I ended up following
> http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
>
> From that previous mailling list post:
>
> Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.
>
> First add proxy-address-forwarding and redirect-socket to the http-listener element:
>
> <subsystem xmlns="urn:jboss:domain:undertow:1.1">
>     ...
>     <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
>     ...
> </subsystem>
>
> Then add a new socket-binding element to the socket-binding-group element:
>
> <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
>     ...
>     <socket-binding name="proxy-https" port="443"/>
>     ...
> </socket-binding-group>
>
>
>
> but now when I go to log on to the admin console I get "We're sorry ...
> Invalid aparameter: redirect uri".
>
>
>
> Tried stack overflow / google / IRC. No luck so far.
>
> Any help would be appreciated :D
>
> Thanks
>
>
>


-- 

*Derek Visch* / Software Developer / Network Technician
dvisch at leveldata.com <bipema at leveldata.com> / Direct: 269-488-2037

*Level Data Inc.*
Office: 866.511.3282
4787 Campus Dr. | Kalamazoo, MI 49008
http://www.leveldata.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/be068bb8/attachment.html

More information about the keycloak-user mailing list