[keycloak-user] Reverse Proxy - SSL Termination - Invalid parameter: redirect uri

Niels Bertram nielsbne at gmail.com
Fri Jul 22 05:49:13 EDT 2016

You may be missing the ProxyPeerHandler filter registration with your
undertow subsystem. Below example of running keycloak behind a stock
standard Apache Reverse proxy configuration with the corresponsing undertow
subsystem configuration.

I never understood what that proxy-https port configuration in the binding
was good for (I think its a copy paste habit or legacy) using the default
8443 one has always worked for me.

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
    <buffer-cache name="default"/>
    <server name="default-server">
        <ajp-listener name="ajp-default" socket-binding="ajp"
redirect-socket="https" scheme="https"/>
        <http-listener name="http-default" socket-binding="http"
redirect-socket="https" proxy-address-forwarding="true"/>
        <host name="default-host" alias="localhost">
            <location name="/" handler="welcome-content"/>
            <filter-ref name="server-header"/>
            <filter-ref name="x-powered-by-header"/>
            <filter-ref name="proxy-peer"/>
            <filter-ref name="request-dumper" priority="30"/>
    <servlet-container name="default">
        <file name="welcome-content"
        <response-header name="server-header" header-name="Server"
        <response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
        <filter name="proxy-peer" module="io.undertow.core"
        <filter name="request-dumper" module="io.undertow.core"

The socket config

<socket-binding-group name="standard-sockets" default-interface="public"
    <socket-binding name="management-http" interface="management"
    <socket-binding name="management-https" interface="management"
    <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
    <socket-binding name="http" port="${jboss.http.port:8080}"/>
    <socket-binding name="https" port="${jboss.https.port:8443}"/>
    <socket-binding name="txn-recovery-environment" port="4712"/>
    <socket-binding name="txn-status-manager" port="4713"/>
    <outbound-socket-binding name="mail-smtp">
        <remote-destination host="localhost" port="25"/>

And the minimalistic snippet that goes into the apache vhost config (apache

<VirtualHost *:80>
  DocumentRoot /var/www
  ServerName your.server.com
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
  ... logging config

<VirtualHost *:443>
  DocumentRoot /var/www
  ServerName your.server.com
  ... ssl config

  ProxyRequests Off
  ProxyPreserveHost On
  <Proxy *>
    RequestHeader set X-Forwarded-Proto "https"
    Require all granted

  # ajp works a charm
  ProxyPass /auth ajp://
  ProxyPassReverse /auth ajp://

  # or hit the http port
  ProxyPass /auth
  ProxyPassReverse /auth

  ... logging config

Hope this solves your problem.


On Fri, Jul 22, 2016 at 7:21 AM, Derek Visch <derek.visch at gmail.com> wrote:

> Trying to setup reverse SSL for keycloak. Having issues finding
> documentation about this, it's mentioned in
> https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html
> but the extra detail that's supposed to be in
> https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could
> not find in regards to reverse SSL proxys.
> Regardless I ended up following
> http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
> From that previous mailling list post:
> Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.
> First add proxy-address-forwarding and redirect-socket to the http-listener element:
> <subsystem xmlns="urn:jboss:domain:undertow:1.1">
>     ...
>     <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
>     ...
> </subsystem>
> Then add a new socket-binding element to the socket-binding-group element:
> <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
>     ...
>     <socket-binding name="proxy-https" port="443"/>
>     ...
> </socket-binding-group>
> but now when I go to log on to the admin console I get "We're sorry ...
> Invalid aparameter: redirect uri".
> Tried stack overflow / google / IRC. No luck so far.
> Any help would be appreciated :D
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160722/1f55e55f/attachment-0001.html 

More information about the keycloak-user mailing list