[keycloak-user] Access to security-admin-console via SSL is prohibited?
dominic.michel01 at realdigital.de
dominic.michel01 at realdigital.de
Fri Nov 30 02:27:51 EST 2018
Hi.
Yes, i've added the https uri as well. Unfortunately, when accessing the login mask via https, the action of the login form is still using http. So i'm able to login but only see a blank page because the page content is blocked by the browser with this message:
Mixed Content: The page at 'https://myserver.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://myserver.com/auth/realms/master/protocol/openid-connect/token'. This request has been blocked; the content must be served over HTTPS.
According to https://www.keycloak.org/docs/4.6/server_admin/#_ssl_modes i figured it would be enough to configure SSL on the reverse proxy only, but now i wonder if it really is and how to convince keycloak to use https for all its form actions, XHRs etc.
Kind regards,
Dominic
________________________________________
From: Tim Hedlund [tim.hedlund at outlook.com]
Sent: Thursday, November 29, 2018 4:02 PM
To: Michel, Dominic; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Access to security-admin-console via SSL is prohibited?
Dominic,
Did you try to add your response uri, i.e: "https://myserver.com/auth/admin/master/console/*" to the "Valid Redirect URIs" in the security-admin-console client?
Regards
Tim
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of dominic.michel01 at realdigital.de
Sent: den 28 november 2018 12:02
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Access to security-admin-console via SSL is prohibited?
Hi.
I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL.
Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fmyserver.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=a69fd981-6daa-4cbd-a231-0907376a8338&response_mode=fragment&response_type=code&scope=openid&nonce=c8f30e79-f7a6-4cad-8ce3-c2aab81964e4
But this request ends in status 400 with the response "Invalid parameter: redirect_uri"
On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely.
I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/)
which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http
---
Content Security Policy: The page's settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html?version=4.6.0.final ("frame-src").
---
So it looks like i'm effectively locked out.
Based on my current situation i have three questions.
1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed?
2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is?
3. Does anybody know what to change now (via admin cli i guess) to get access to the UI?
Thanks for your help.
Kind regards,
Dominic
real,- Digital Services GmbH, Sitz: Duesseldorf
Amtsgericht Duesseldorf, HRB 75643
Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge
Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
real,- Digital Services GmbH, Sitz: Duesseldorf
Amtsgericht Duesseldorf, HRB 75643
Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge
Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.
More information about the keycloak-user
mailing list