[keycloak-user] Keycloak invalid redirect_uri with port 0?
Dean Poulin
dean at edgewoodsoftware.com
Fri Oct 5 04:43:33 EDT 2018
Hi everyone,
First email to the group here. I’ve been heavily underway implementing Keycloak for my app’s auth needs and very impressed with the product. I’ve delayed emailing the group until I’ve spent hours of time trying to figure out this weird issue I’m experiencing. This might not be the best place to post this, but figured I’d start here.
For some reason, when I visit my spring boot webapp that’s protected by keycloak it’s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying “invalid redirect_uri.”
I’ve googled this and I’ve found some people having similar issues, but couldn’t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>, https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>).
My prod/test environment uses an nginx reverse proxy in front of my apps.
I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy>.
The url that was throwing that error looked like this (see the port of 0 in the url):
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com>%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid
The keycloak logs contained this error for the above url:
Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com <https://www.example.com/>:0/sso/login
As you can see for some reason the redirect_uri is being set with a port of 0.
I put in the url with port 0 (https://www.example.com:0/sso/login <https://www.example.com:0/sso/login>) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error.
However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there… Google Chrome has this error:
This site can’t be reached
The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw> might be temporarily down or it may have moved permanently to a new web address.
ERR_ADDRESS_INVALID
Here’s my architecture:
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042* —> SPRING BOOT APP (v2.0.5.RELEASE)
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080* —> KEYCLOAK SERVER (v4.4.0.Final)
Spring Boot App:
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>4.4.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
Config yaml:
keycloak:
auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth>
realm: my-app
public-client: true
resource: my-client
ssl-required: external
Nginx is configured as a reverse proxy with these settings for the spring boot app:
upstream app {
server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name www.example.com <http://www.example.com/>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://app <http://app/>;
}
}
Nginx is configured as a reverse proxy with these settings for the keycloak server:
upstream sso {
server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name sso.example.com <http://sso.example.com/>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://sso <http://sso/>;
}
}
My keycloak configuration for standalone.xml has these settings:
Undertow config:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="proxy-https" enable-http2="true" proxy-address-forwarding="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
…
Socket Bindings:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Thanks for your help, I must have missed something somewhere. I just can’t for the life of me find out where that port 0 is coming from.
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>
More information about the keycloak-user
mailing list