[keycloak-user] Reverse Proxy - SSL Termination - Invalid parameter: redirect uri

Marek Posolda mposolda at redhat.com
Thu Aug 4 06:51:33 EDT 2016 

We have some docs for this here 
https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html

Marek

On 01/08/16 22:58, Derek Visch wrote:
> Ended up figuring this out, just to save whatever poor soul has to go 
> down the same/similar path here's what I did. I'm curious why I didn't 
> get any errors when running keycloak with debug logging turned on as 
> this must be some kind of host re-write problem with wildfly/keycloak.
>
> First the only configuration I had to set in standalone.xml was (I 
> removed all the other custom configurations I had in place the rest is 
> the vanilla standalone.xml )
> <http-listener name="http-default" socket-binding="http" 
> redirect-socket="https" proxy-address-forwarding="true"/>
>
> Wildfly10 Docs for this: 
> https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration
>
> Nginx configuration:
>
> server {
>   listen 80;
>   server_name keycloak_testing.leveldatadevelopment.com 
> <http://keycloak_testing.leveldatadevelopment.com>;
>   return 301 https://$host$request_uri;
> }
>
> server {
>   listen 443 ssl;
>   server_name keycloak_testing.leveldatadevelopment.com 
> <http://keycloak_testing.leveldatadevelopment.com>;
>
>   ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt;
>   ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key;
>
>   location / {
>     proxy_set_header *Host $host*;
>     proxy_set_header        X-Real-IP $remote_addr; #*Not sure this is 
> needed for wildfly/keycloak*
>     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
>     proxy_set_header        X-Forwarded-Proto $scheme;
>     proxy_redirect http:// https://;
>
>     proxy_pass http://0.0.0.0:8080;
>   }
> }
>
>
> Note the Host different, with Host $host:$server_port; I receive a 
> white page when logging into the admin URL. *Why would this happen*? 
> Only mention of the host header I could find in the wildFly 
> documentation is 
> https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration
>
>
> Also to get past the invalid_redirect_uri issue,
>
>  1. Run keycloak locally
>  2. Go to the Clients settings in the Master Realm
>  3. Click edit on the security-admin-console client id (You may also
>     have to do this with the account client ID I'm not certain)
>  4. Add valid redirect URI's for your new domain, for example
>     https://website.com/* (Docs tell you to be as limited as possible
>     with these so in production limit down your redirect URI's as much
>     as possible)
>
> Hope this helps someone in the future! What do you think? Should this 
> be added to the documentation somewhere or should some kind of error 
> be thrown in this circumstance? I'm not certain if it's Wildfly or 
> keycloak causing this to happen I didn't dig quite hard enough to find 
> out :(
>
>
>
>
>
> On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch <derek.visch at gmail.com 
> <mailto:derek.visch at gmail.com>> wrote:
>
>     Trying to setup reverse SSL for keycloak. Having issues finding
>     documentation about this, it's mentioned in
>     https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html
>     but the extra detail that's supposed to be in
>     https://keycloak.gitbooks.io/server-adminstration-guide/content/ I
>     could not find in regards to reverse SSL proxys.
>
>     Regardless I ended up following
>     http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
>
>     From that previous mailling list post:
>
>     Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.
>
>     First add proxy-address-forwarding and redirect-socket to the http-listener element:
>
>     <subsystem xmlns="urn:jboss:domain:undertow:1.1">
>          ...
>          <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
>          ...
>     </subsystem>
>
>     Then add a new socket-binding element to the socket-binding-group element:
>
>     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
>          ...
>          <socket-binding name="proxy-https" port="443"/>
>          ...
>     </socket-binding-group>
>
>
>
>     but now when I go to log on to the admin console I get "We're
>     sorry ... Invalid aparameter: redirect uri".
>
>
>
>     Tried stack overflow / google / IRC. No luck so far.
>
>     Any help would be appreciated :D
>
>     Thanks
>
>
>
>
>
> -- 
>
> *Derek Visch* / Software Developer / Network Technician
> dvisch at leveldata.com <mailto:bipema at leveldata.com> / Direct: 269-488-2037
>
> *Level Data Inc.*
> Office: 866.511.3282
> 4787 Campus Dr. | Kalamazoo, MI 49008
> http://www.leveldata.com <http://www.leveldata.com/>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/b8662c50/attachment.html

More information about the keycloak-user mailing list