[keycloak-user] NGINX + Redirect URI is going to http rather than https

abhishek raghav abhi.raghav007 at gmail.com
Wed Aug 3 11:36:42 EDT 2016 

I am trying to configure NGINX as a reverse for my keycloak instance and
customer-portal to do SSL termination.

So  I am accessing the customer-portal over NGINX with https which is going
fine.
The URL which i called looks like this:

https://192.168.99.100/customer-portal/


Next when I am trying to access any secured resourse by clicking on lets
say 'customer-listing', I am redirected to keyclock  with the URI as below
with a error message as invalid redirect URI.

http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true

Here if you see, the redirect URI is going as http in place of https. which
gives me invalid redirect-uri because the URI i have configured in
valid-redirect-URI section of  settings in the customer-portal client
settings  is below:

https://192.168.99.100/customer-portal/*

Am i missing something or i need to do anything else to support nginx
settings in my keycloak. I have made the proxy-forwarding in standalone.xml
also as 'true'.

<http-listener xmlns:ut="urn:jboss:domain:undertow:3.0"
*proxy-address-forwarding="true"*
                           name="default"
                           socket-binding="http"
                           redirect-socket="https"/>


port also I configured in the socket binding as 443.

Also i am configuring the required header in my nginx.conf.

Below is my nginx.conf looks like:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;

}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
'
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    server {
    listen              443;
    server_name         "";
    ssl_certificate      /etc/nginx/external/cert.pem;
    ssl on;
    ssl_certificate_key  /etc/nginx/external/key.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    location /customer-portal/ {
      proxy_set_header        Host $http_host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_set_header        X-Forwarded-Host $host;
      proxy_set_header        X-Forwarded-Server $http_host;
      proxy_set_header        X-Forwarded-Port 443;
      proxy_pass              http://192.168.99.100:31050;
}
    location /auth/ {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_set_header        X-Forwarded-Host $host;
      proxy_set_header        X-Forwarded-Server $http_host;
      proxy_pass              http://192.168.99.100:31048/auth/;
      proxy_set_header        X-Forwarded-Port 443;
    }
    }
    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}


And my keycloak.json file looks like below:

{
  "realm": "nginx",
  "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB",
  "auth-server-url": "https://192.168.99.100/auth/",
  "ssl-required": "external",
  "resource": "customer-portal",
  "credentials": {
    "secret": "20d8b6f8-25cc-481c-be66-133da68e9596"
  },
  "use-resource-role-mappings": false
}

Note: I am runnning all the 3 in there own docker containers.

Here my nginx url is *https://192.168.99.100 <https://192.168.99.100>*
my customer-portal url is *http://192.168.99.100:31050
<http://192.168.99.100:31050>*
my keycloak server url is *http://192.168.99.100:31048
<http://192.168.99.100:31048>*

Customer-portal is running on tomcat 8 with keycloak tomcat adapter.

customer-portal and keycloak, both are running behind nginx.


Am i doing something wrong.

Thanks.
Abhishek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/1277d083/attachment.html

More information about the keycloak-user mailing list