[keycloak-user] Keycloak invalid redirect_uri with port 0?
Sebastien Blanc
sblanc at redhat.com
Fri Oct 5 05:37:29 EDT 2018
TBH No idea if it helps in your case but there is a config property called
"redirect-rewrite-rules" that may help you :
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config
On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean at edgewoodsoftware.com>
wrote:
> Hi,
>
> I’ve tried a couple things in that comment so far:
>
> 1) Verified I’m sending through the headers and the spring boot app is
> receiving the headers:
>
> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05
> 05:15:27.576 INFO 25117 --- [nio-8042-exec-2]
> a.c.u.server.controller.IndexController : host=www.example.com
> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
> x-real-ip=1.2.3.4
> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
> x-forwarded-for=1.2.3.4
> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
> x-forwarded-proto=https
> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
> x-forwarded-host=www.example.com
> Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
> x-forwarded-port=443
>
> I tried setting the spring boot keycloak config setting:
>
> keycloak.ssl-required = none
>
> That did remove the port 0 in the redirect_uri being generated but it also
> set the redirect uri to be http instead of https, which seems like it’d be
> bad. I do have nginx set to redirect all http requests to https anyway.
>
> Is there something else I need to do to get the spring boot app to
> generate the correct redirect_uri with https? There must be like some magic
> config setting I’ve missed somewhere. I’ll keep digging and share what I
> find.
>
> Thanks,
>
> Dean Poulin
> Owner & Principal Software Engineer
> edgewood software
> email: dean at edgewoodsoftware.com
>
>
> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc at redhat.com> wrote:
>
> Hi,
>
> We have a ticket concerning the 0 added as port :
> https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan
> it to work on it. But look at the comments, looks like there are some
> workarounds for now (the last comment).
>
> Sebi
>
>
> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean at edgewoodsoftware.com>
> wrote:
>
>> Hi everyone,
>>
>> First email to the group here. I’ve been heavily underway implementing
>> Keycloak for my app’s auth needs and very impressed with the product. I’ve
>> delayed emailing the group until I’ve spent hours of time trying to figure
>> out this weird issue I’m experiencing. This might not be the best place to
>> post this, but figured I’d start here.
>>
>> For some reason, when I visit my spring boot webapp that’s protected by
>> keycloak it’s redirecting to keycloak as expected but the redirect_uri is
>> being set with a port of 0 which is causing me to get an error on the
>> keycloak login page saying “invalid redirect_uri.”
>>
>> I’ve googled this and I’ve found some people having similar issues, but
>> couldn’t find solutions (e.g.
>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234
>> <
>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>,
>>
>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234
>> <
>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234
>> >).
>>
>> My prod/test environment uses an nginx reverse proxy in front of my apps.
>>
>> I followed these steps:
>> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
>> <
>> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
>> >.
>>
>> The url that was throwing that error looked like this (see the port of 0
>> in the url):
>>
>>
>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com
>> <
>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com
>> >%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid
>>
>> The keycloak logs contained this error for the above url:
>>
>> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/>
>> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default
>> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null,
>> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=
>> https://www.example.com <https://www.example.com/>:0/sso/login
>>
>> As you can see for some reason the redirect_uri is being set with a port
>> of 0.
>>
>> I put in the url with port 0 (https://www.example.com:0/sso/login <
>> https://www.example.com:0/sso/login>) into the keycloak client config
>> under Valid Redirect URIs and that removed the invalid redirect_url issue
>> and the login page was now rendering without an error.
>>
>> However, when the redirect is performed after login, the browser gets
>> screwed up with having port 0 in there… Google Chrome has this error:
>>
>> This site can’t be reached
>> The webpage at
>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw
>> <
>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw>
>> might be temporarily down or it may have moved permanently to a new web
>> address.
>> ERR_ADDRESS_INVALID
>>
>> Here’s my architecture:
>>
>> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042*
>> —> SPRING BOOT APP (v2.0.5.RELEASE)
>>
>> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080*
>> —> KEYCLOAK SERVER (v4.4.0.Final)
>>
>> Spring Boot App:
>>
>> <dependency>
>> <groupId>org.keycloak.bom</groupId>
>> <artifactId>keycloak-adapter-bom</artifactId>
>> <version>4.4.0.Final</version>
>> <type>pom</type>
>> <scope>import</scope>
>> </dependency>
>>
>> ...
>>
>> <dependency>
>> <groupId>org.keycloak</groupId>
>> <artifactId>keycloak-spring-boot-starter</artifactId>
>> </dependency>
>>
>> Config yaml:
>>
>> keycloak:
>> auth-server-url: https://sso.example.com/auth <
>> https://sso.example.com/auth>
>> realm: my-app
>> public-client: true
>> resource: my-client
>> ssl-required: external
>>
>>
>>
>> Nginx is configured as a reverse proxy with these settings for the spring
>> boot app:
>>
>> upstream app {
>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
>> }
>>
>> server {
>> listen 443;
>> server_name www.example.com <http://www.example.com/>;
>>
>> ...
>>
>> location / {
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> proxy_set_header X-Forwarded-Host $host;
>> proxy_set_header X-Forwarded-Port 443;
>>
>> proxy_next_upstream error timeout invalid_header http_500;
>> proxy_connect_timeout 2;
>>
>> proxy_pass http://app <http://app/>;
>> }
>> }
>>
>> Nginx is configured as a reverse proxy with these settings for the
>> keycloak server:
>>
>>
>> upstream sso {
>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
>> }
>>
>> server {
>> listen 443;
>> server_name sso.example.com <http://sso.example.com/>;
>>
>> ...
>>
>> location / {
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> proxy_set_header X-Forwarded-Host $host;
>> proxy_set_header X-Forwarded-Port 443;
>> proxy_next_upstream error timeout invalid_header http_500;
>> proxy_connect_timeout 2;
>>
>> proxy_pass http://sso <http://sso/>;
>> }
>> }
>>
>> My keycloak configuration for standalone.xml has these settings:
>>
>> Undertow config:
>>
>> <server name="default-server">
>> <http-listener name="default" socket-binding="http"
>> redirect-socket="proxy-https" enable-http2="true"
>> proxy-address-forwarding="true"/>
>> <https-listener name="https" socket-binding="https"
>> security-realm="ApplicationRealm" enable-http2="true"/>
>> <host name="default-host" alias="localhost">
>> <http-invoker security-realm="ApplicationRealm"/>
>> </host>
>> </server>
>>
>> …
>>
>> Socket Bindings:
>>
>> <socket-binding-group name="standard-sockets" default-interface="public"
>> port-offset="${jboss.socket.binding.port-offset:0}">
>> <socket-binding name="management-http" interface="management"
>> port="${jboss.management.http.port:9990}"/>
>> <socket-binding name="management-https" interface="management"
>> port="${jboss.management.https.port:9993}"/>
>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>> <socket-binding name="http" port="${jboss.http.port:8080}"/>
>> <socket-binding name="proxy-https" port="443"/>
>> <socket-binding name="https" port="${jboss.https.port:8443}"/>
>> <socket-binding name="txn-recovery-environment" port="4712"/>
>> <socket-binding name="txn-status-manager" port="4713"/>
>> <outbound-socket-binding name="mail-smtp">
>> <remote-destination host="localhost" port="25"/>
>> </outbound-socket-binding>
>> </socket-binding-group>
>>
>>
>>
>>
>>
>> Thanks for your help, I must have missed something somewhere. I just
>> can’t for the life of me find out where that port 0 is coming from.
>>
>>
>> Dean Poulin
>> Owner & Principal Software Engineer
>> edgewood software
>> email: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list