[keycloak-user] Access to security-admin-console via SSL is prohibited?
Tim Hedlund
tim.hedlund at outlook.com
Thu Nov 29 10:02:27 EST 2018
Dominic,
Did you try to add your response uri, i.e: "https://myserver.com/auth/admin/master/console/*" to the "Valid Redirect URIs" in the security-admin-console client?
Regards
Tim
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of dominic.michel01 at realdigital.de
Sent: den 28 november 2018 12:02
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Access to security-admin-console via SSL is prohibited?
Hi.
I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL.
Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fmyserver.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=a69fd981-6daa-4cbd-a231-0907376a8338&response_mode=fragment&response_type=code&scope=openid&nonce=c8f30e79-f7a6-4cad-8ce3-c2aab81964e4
But this request ends in status 400 with the response "Invalid parameter: redirect_uri"
On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely.
I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/)
which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http
---
Content Security Policy: The page's settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html?version=4.6.0.final ("frame-src").
---
So it looks like i'm effectively locked out.
Based on my current situation i have three questions.
1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed?
2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is?
3. Does anybody know what to change now (via admin cli i guess) to get access to the UI?
Thanks for your help.
Kind regards,
Dominic
real,- Digital Services GmbH, Sitz: Duesseldorf
Amtsgericht Duesseldorf, HRB 75643
Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge
Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list