[keycloak-user] keycloak-user Digest, Vol 58, Issue 18
Olivier Refalo
orefalo at yahoo.com
Fri Oct 5 19:06:56 EDT 2018
unsubscribe
> On Oct 5, 2018, at 2:26 PM, keycloak-user-request at lists.jboss.org wrote:
>
> Send keycloak-user mailing list submissions to
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request at lists.jboss.org <mailto:keycloak-user-request at lists.jboss.org>
>
> You can reach the person managing the list at
> keycloak-user-owner at lists.jboss.org <mailto:keycloak-user-owner at lists.jboss.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Re: Keycloak invalid redirect_uri with port 0? (Sebastien Blanc)
> 2. Re: Too many redirects with remember me checked (Amritha Amarnath)
> 3. Custom password policy - i18n messages (Lukasz Lech)
> 4. Re: Keycloak invalid redirect_uri with port 0? (Dean Poulin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 5 Oct 2018 11:37:29 +0200
> From: Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com>>
> Subject: Re: [keycloak-user] Keycloak invalid redirect_uri with port
> 0?
> To: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>
> Cc: keycloak userlist <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Message-ID:
> <CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA at mail.gmail.com <mailto:CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA at mail.gmail.com>>
> Content-Type: text/plain; charset="UTF-8"
>
> TBH No idea if it helps in your case but there is a config property called
> "redirect-rewrite-rules" that may help you :
> https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config <https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config>
>
>
> On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>
> wrote:
>
>> Hi,
>>
>> I?ve tried a couple things in that comment so far:
>>
>> 1) Verified I?m sending through the headers and the spring boot app is
>> receiving the headers:
>>
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: 2018-10-05
>> 05:15:27.576 INFO 25117 --- [nio-8042-exec-2]
>> a.c.u.server.controller.IndexController : host=www.example.com <http://www.example.com/>
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]:
>> x-real-ip=1.2.3.4
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]:
>> x-forwarded-for=1.2.3.4
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]:
>> x-forwarded-proto=https
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]:
>> x-forwarded-host=www.example.com <http://www.example.com/>
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]:
>> x-forwarded-port=443
>>
>> I tried setting the spring boot keycloak config setting:
>>
>> keycloak.ssl-required = none
>>
>> That did remove the port 0 in the redirect_uri being generated but it also
>> set the redirect uri to be http instead of https, which seems like it?d be
>> bad. I do have nginx set to redirect all http requests to https anyway.
>>
>> Is there something else I need to do to get the spring boot app to
>> generate the correct redirect_uri with https? There must be like some magic
>> config setting I?ve missed somewhere. I?ll keep digging and share what I
>> find.
>>
>> Thanks,
>>
>> Dean Poulin
>> Owner & Principal Software Engineer
>> edgewood software
>> email: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>
>>
>>
>> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com>> wrote:
>>
>> Hi,
>>
>> We have a ticket concerning the 0 added as port :
>> https://issues.jboss.org/browse/KEYCLOAK-7237 <https://issues.jboss.org/browse/KEYCLOAK-7237> but we still need to plan
>> it to work on it. But look at the comments, looks like there are some
>> workarounds for now (the last comment).
>>
>> Sebi
>>
>>
>> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>
>> wrote:
>>
>>> Hi everyone,
>>>
>>> First email to the group here. I?ve been heavily underway implementing
>>> Keycloak for my app?s auth needs and very impressed with the product. I?ve
>>> delayed emailing the group until I?ve spent hours of time trying to figure
>>> out this weird issue I?m experiencing. This might not be the best place to
>>> post this, but figured I?d start here.
>>>
>>> For some reason, when I visit my spring boot webapp that?s protected by
>>> keycloak it?s redirecting to keycloak as expected but the redirect_uri is
>>> being set with a port of 0 which is causing me to get an error on the
>>> keycloak login page saying ?invalid redirect_uri.?
>>>
>>> I?ve googled this and I?ve found some people having similar issues, but
>>> couldn?t find solutions (e.g.
>>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>
>>> <
>>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>>,
>>>
>>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>
>>> <
>>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>
>>>> ).
>>>
>>> My prod/test environment uses an nginx reverse proxy in front of my apps.
>>>
>>> I followed these steps:
>>> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy>
>>> <
>>> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy>
>>>> .
>>>
>>> The url that was throwing that error looked like this (see the port of 0
>>> in the url):
>>>
>>>
>>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com>
>>> <
>>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com>
>>>> %3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid
>>>
>>> The keycloak logs contained this error for the above url:
>>>
>>> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/> <http://sso01.example.com/ <http://sso01.example.com/>>
>>> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default
>>> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null,
>>> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=
>>> https://www.example.com <https://www.example.com/> <https://www.example.com/ <https://www.example.com/>>:0/sso/login
>>>
>>> As you can see for some reason the redirect_uri is being set with a port
>>> of 0.
>>>
>>> I put in the url with port 0 (https://www.example.com:0/sso/login <https://www.example.com:0/sso/login> <
>>> https://www.example.com:0/sso/login <https://www.example.com:0/sso/login>>) into the keycloak client config
>>> under Valid Redirect URIs and that removed the invalid redirect_url issue
>>> and the login page was now rendering without an error.
>>>
>>> However, when the redirect is performed after login, the browser gets
>>> screwed up with having port 0 in there? Google Chrome has this error:
>>>
>>> This site can?t be reached
>>> The webpage at
>>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw>
>>> <
>>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw>>
>>> might be temporarily down or it may have moved permanently to a new web
>>> address.
>>> ERR_ADDRESS_INVALID
>>>
>>> Here?s my architecture:
>>>
>>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042*
>>> ?> SPRING BOOT APP (v2.0.5.RELEASE)
>>>
>>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080*
>>> ?> KEYCLOAK SERVER (v4.4.0.Final)
>>>
>>> Spring Boot App:
>>>
>>> <dependency>
>>> <groupId>org.keycloak.bom</groupId>
>>> <artifactId>keycloak-adapter-bom</artifactId>
>>> <version>4.4.0.Final</version>
>>> <type>pom</type>
>>> <scope>import</scope>
>>> </dependency>
>>>
>>> ...
>>>
>>> <dependency>
>>> <groupId>org.keycloak</groupId>
>>> <artifactId>keycloak-spring-boot-starter</artifactId>
>>> </dependency>
>>>
>>> Config yaml:
>>>
>>> keycloak:
>>> auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth> <
>>> https://sso.example.com/auth <https://sso.example.com/auth>>
>>> realm: my-app
>>> public-client: true
>>> resource: my-client
>>> ssl-required: external
>>>
>>>
>>>
>>> Nginx is configured as a reverse proxy with these settings for the spring
>>> boot app:
>>>
>>> upstream app {
>>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
>>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
>>> }
>>>
>>> server {
>>> listen 443;
>>> server_name www.example.com <http://www.example.com/> <http://www.example.com/ <http://www.example.com/>>;
>>>
>>> ...
>>>
>>> location / {
>>> proxy_set_header Host $host;
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For
>>> $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> proxy_set_header X-Forwarded-Host $host;
>>> proxy_set_header X-Forwarded-Port 443;
>>>
>>> proxy_next_upstream error timeout invalid_header http_500;
>>> proxy_connect_timeout 2;
>>>
>>> proxy_pass http://app <http://app/> <http://app/ <http://app/>>;
>>> }
>>> }
>>>
>>> Nginx is configured as a reverse proxy with these settings for the
>>> keycloak server:
>>>
>>>
>>> upstream sso {
>>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
>>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
>>> }
>>>
>>> server {
>>> listen 443;
>>> server_name sso.example.com <http://sso.example.com/> <http://sso.example.com/ <http://sso.example.com/>>;
>>>
>>> ...
>>>
>>> location / {
>>> proxy_set_header Host $host;
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For
>>> $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> proxy_set_header X-Forwarded-Host $host;
>>> proxy_set_header X-Forwarded-Port 443;
>>> proxy_next_upstream error timeout invalid_header http_500;
>>> proxy_connect_timeout 2;
>>>
>>> proxy_pass http://sso <http://sso/> <http://sso/ <http://sso/>>;
>>> }
>>> }
>>>
>>> My keycloak configuration for standalone.xml has these settings:
>>>
>>> Undertow config:
>>>
>>> <server name="default-server">
>>> <http-listener name="default" socket-binding="http"
>>> redirect-socket="proxy-https" enable-http2="true"
>>> proxy-address-forwarding="true"/>
>>> <https-listener name="https" socket-binding="https"
>>> security-realm="ApplicationRealm" enable-http2="true"/>
>>> <host name="default-host" alias="localhost">
>>> <http-invoker security-realm="ApplicationRealm"/>
>>> </host>
>>> </server>
>>>
>>> ?
>>>
>>> Socket Bindings:
>>>
>>> <socket-binding-group name="standard-sockets" default-interface="public"
>>> port-offset="${jboss.socket.binding.port-offset:0}">
>>> <socket-binding name="management-http" interface="management"
>>> port="${jboss.management.http.port:9990}"/>
>>> <socket-binding name="management-https" interface="management"
>>> port="${jboss.management.https.port:9993}"/>
>>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>> <socket-binding name="http" port="${jboss.http.port:8080}"/>
>>> <socket-binding name="proxy-https" port="443"/>
>>> <socket-binding name="https" port="${jboss.https.port:8443}"/>
>>> <socket-binding name="txn-recovery-environment" port="4712"/>
>>> <socket-binding name="txn-status-manager" port="4713"/>
>>> <outbound-socket-binding name="mail-smtp">
>>> <remote-destination host="localhost" port="25"/>
>>> </outbound-socket-binding>
>>> </socket-binding-group>
>>>
>>>
>>>
>>>
>>>
>>> Thanks for your help, I must have missed something somewhere. I just
>>> can?t for the life of me find out where that port 0 is coming from.
>>>
>>>
>>> Dean Poulin
>>> Owner & Principal Software Engineer
>>> edgewood software
>>> email: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com> <mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 5 Oct 2018 15:45:30 +0530 (GMT+05:30)
> From: Amritha Amarnath <amritha_amarnath at amritatech.com <mailto:amritha_amarnath at amritatech.com>>
> Subject: Re: [keycloak-user] Too many redirects with remember me
> checked
> To: Martin Kanis <mkanis at redhat.com <mailto:mkanis at redhat.com>>
> Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> Message-ID:
> <3312779.577271538734530914.JavaMail.root at atmail.amritatech.com <mailto:3312779.577271538734530914.JavaMail.root at atmail.amritatech.com>>
> Content-Type: text/plain; charset="utf-8"
>
>
> Hello ,
>
>
>
> Application is using keycloak-4.1.0.Final . For keycloak log please find attachment
>
>
>
> --
> With Regards,
> Amms
>
>
>
> ----- Original Message -----
> From: "Martin Kanis" <mkanis at redhat.com <mailto:mkanis at redhat.com>>
> To: "amritha amarnath" <amritha_amarnath at amritatech.com <mailto:amritha_amarnath at amritatech.com>>
> Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi
> Subject: Re: [keycloak-user] Too many redirects with remember me checked
>
>
> Hello,
>
>
> what version of Keycloak do you have? Can you provide a Keycloak log?
>
>
> Regards,
> Martin
>
>
> On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath at amritatech.com <mailto:amritha_amarnath at amritatech.com> > wrote:
>
>
>
>
>
> Hello,
>
>
> My application have been deployed in Wildfly 11 and is integrated with standalone Keycloak and works fine. But the issue is, when the application is logged in with Remember-me checkbox checked, its showing too many redirects when restart the browser , even though the user session is valid. It leads to logout my application session manually from keycloak admin console.
>
> Wildfly log says: Account was not in session, returning null , there was no code
>
>
> Once the user session also get expired its showing the login page with pre-filled username and remember-me checked as expected.
>
>
> I am new to keycloak. So any idea regarding too many redirects with remember-me checked ?
>
> --
> With Regards,
> Amms
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: keycloak.log
> Type: text/x-log
> Size: 4017 bytes
> Desc: not available
> Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/098966fb/attachment-0001.bin <http://lists.jboss.org/pipermail/keycloak-user/attachments/20181005/098966fb/attachment-0001.bin>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 5 Oct 2018 10:19:14 +0000
> From: Lukasz Lech <l.lech at ringler.ch <mailto:l.lech at ringler.ch>>
> Subject: [keycloak-user] Custom password policy - i18n messages
> To: "keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Message-ID: <5E48B917000C984B86B77170F441903A11D8D731 at exch.ringler.ch <mailto:5E48B917000C984B86B77170F441903A11D8D731 at exch.ringler.ch>>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello,
>
> I've created my own password policy.
>
> It gives back PolicyError with i18n key.
>
> Where should I put the translations for that key? Do I need to append it to themes/base/login/messages/messages_XX.properties or I can provide them in other location (inside the jar, for example)?
>
> Best regards,
> Lukasz Lech
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 5 Oct 2018 06:26:52 -0400
> From: Dean Poulin <dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>
> Subject: Re: [keycloak-user] Keycloak invalid redirect_uri with port
> 0?
> To: Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com>>
> Cc: keycloak userlist <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Message-ID:
> <21D201FB-E437-473E-87D7-6F63E31B8D53 at edgewoodsoftware.com <mailto:21D201FB-E437-473E-87D7-6F63E31B8D53 at edgewoodsoftware.com>>
> Content-Type: text/plain; charset=utf-8
>
> After a bit more trial and error the final setting that worked for me was to set:
>
> keycloak:
> ssl-required: external
> confidential-port: 443
>
> Setting confidential-port to 443 is now generating the correct redirect_uri and having ssl-required set to external is using forcing https correctly. The redirect_uri no longer has port 0.
>
> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com%2Fsso%2Flogin&state=3107f446-eab4-4473-903b-d6dd5746fc2d&login=true&scope=openid <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com%2Fsso%2Flogin&state=3107f446-eab4-4473-903b-d6dd5746fc2d&login=true&scope=openid> <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https://www.example.com/sso/login&state=3107f446-eab4-4473-903b-d6dd5746fc2d&login=true&scope=openid <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https://www.example.com/sso/login&state=3107f446-eab4-4473-903b-d6dd5746fc2d&login=true&scope=openid>>
>
> Thanks again for your help pointing me in the right direction.
>
> Dean Poulin
> Owner & Principal Software Engineer
> edgewood software
> email: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com> <mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>
>
>> On Oct 5, 2018, at 5:37 AM, Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com>> wrote:
>>
>> TBH No idea if it helps in your case but there is a config property called "redirect-rewrite-rules" that may help you : https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config <https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config><https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config <https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config>>
>>
>>
>> On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com> <mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>> wrote:
>> Hi,
>>
>> I?ve tried a couple things in that comment so far:
>>
>> 1) Verified I?m sending through the headers and the spring boot app is receiving the headers:
>>
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> <http://server01.edgewoodsoftware.com/ <http://server01.edgewoodsoftware.com/>> java[25117]: 2018-10-05 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController : host=www.example.com <http://www.example.com/> <http://www.example.com/ <http://www.example.com/>>
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> <http://server01.edgewoodsoftware.com/ <http://server01.edgewoodsoftware.com/>> java[25117]: x-real-ip=1.2.3.4
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> <http://server01.edgewoodsoftware.com/ <http://server01.edgewoodsoftware.com/>> java[25117]: x-forwarded-for=1.2.3.4
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> <http://server01.edgewoodsoftware.com/ <http://server01.edgewoodsoftware.com/>> java[25117]: x-forwarded-proto=https
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> <http://server01.edgewoodsoftware.com/ <http://server01.edgewoodsoftware.com/>> java[25117]: x-forwarded-host=www.example.com <http://www.example.com/> <http://www.example.com/ <http://www.example.com/>>
>> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> <http://server01.edgewoodsoftware.com/ <http://server01.edgewoodsoftware.com/>> java[25117]: x-forwarded-port=443
>>
>> I tried setting the spring boot keycloak config setting:
>>
>> keycloak.ssl-required = none
>>
>> That did remove the port 0 in the redirect_uri being generated but it also set the redirect uri to be http instead of https, which seems like it?d be bad. I do have nginx set to redirect all http requests to https anyway.
>>
>> Is there something else I need to do to get the spring boot app to generate the correct redirect_uri with https? There must be like some magic config setting I?ve missed somewhere. I?ll keep digging and share what I find.
>>
>> Thanks,
>>
>> Dean Poulin
>> Owner & Principal Software Engineer
>> edgewood software
>> email: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com> <mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>
>>
>>
>>> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com> <mailto:sblanc at redhat.com <mailto:sblanc at redhat.com>>> wrote:
>>>
>>> Hi,
>>>
>>> We have a ticket concerning the 0 added as port : https://issues.jboss.org/browse/KEYCLOAK-7237 <https://issues.jboss.org/browse/KEYCLOAK-7237><https://issues.jboss.org/browse/KEYCLOAK-7237 <https://issues.jboss.org/browse/KEYCLOAK-7237>> but we still need to plan it to work on it. But look at the comments, looks like there are some workarounds for now (the last comment).
>>>
>>> Sebi
>>>
>>>
>>> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com> <mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>> wrote:
>>> Hi everyone,
>>>
>>> First email to the group here. I?ve been heavily underway implementing Keycloak for my app?s auth needs and very impressed with the product. I?ve delayed emailing the group until I?ve spent hours of time trying to figure out this weird issue I?m experiencing. This might not be the best place to post this, but figured I?d start here.
>>>
>>> For some reason, when I visit my spring boot webapp that?s protected by keycloak it?s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying ?invalid redirect_uri.?
>>>
>>> I?ve googled this and I?ve found some people having similar issues, but couldn?t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234><https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>> <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234><https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>>>, https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234><https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>> <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234><https://stac <https://stac/>!
> koverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234 <http://koverflow.com/questions/51121234/keycloak-redirect-uri-is-adding-port-zero-to-the-url#comment92247161_51121234>>>).
>>>
>>> My prod/test environment uses an nginx reverse proxy in front of my apps.
>>>
>>> I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy><https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy>> <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy><https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy <https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy>>>.
>>>
>>> The url that was throwing that error looked like this (see the port of 0 in the url):
>>>
>>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com> <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com>> <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com> <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-client&redirect_uri=https%3A%2F%2Fwww.example.com>>>%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid
>>>
>>> The keycloak logs contained this error for the above url:
>>>
>>> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/> <http://sso01.example.com/ <http://sso01.example.com/>> <http://sso01.example.com/ <http://sso01.example.com/> <http://sso01.example.com/ <http://sso01.example.com/>>> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com <https://www.example.com/><https://www.example.com/ <https://www.example.com/>> <https://www.example.com/ <https://www.example.com/> <https://www.example.com/ <https://www.example.com/>>>:0/sso/login
>>>
>>> As you can see for some reason the redirect_uri is being set with a port of 0.
>>>
>>> I put in the url with port 0 (https://www.example.com:0/sso/login <https://www.example.com:0/sso/login> <https://www.example.com:0/sso/login <https://www.example.com:0/sso/login>> <https://www.example.com:0/sso/login <https://www.example.com:0/sso/login> <https://www.example.com:0/sso/login <https://www.example.com:0/sso/login>>>) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error.
>>>
>>> However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there? Google Chrome has this error:
>>>
>>> This site can?t be reached
>>> The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw> <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_ <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_>!
> uMw> <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw> <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&session_state=2fe0ea56-f0f5-4009-807e-5281b169ab2a&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..g6vDubuMfcvB-hqvaNmMzg.JWLHM3z8rsaGahwlFT6v7xsJsbDKuDfpJRHh7RDa9Z9Fp7czf0XO1JyEo5-L2mM8S2FQ28GRalvXp8GQg569pGmZQX4H-2M6FUUnbxcMoarFIS5qF-h4-3bsocMgNiJO5hmh9BY0GNT-KoRdoWGCgNdcLM7t0m6T4BqLmxPy0aBDDdtblTE2mZCzaKxAobIby3_q_BxbkuMfiESR5qyuQs3jVfMhs4Ab8R8XUhXdgXJVgNNW77QPkN6thmdwCEFL.tmxCqdCFsycfF6nFsN_uMw>>> might!
> be temporarily down or it may have moved permanently to a new!
> web add
> ress.
>>> ERR_ADDRESS_INVALID
>>>
>>> Here?s my architecture:
>>>
>>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* ?> SPRING BOOT APP (v2.0.5.RELEASE)
>>>
>>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* ?> KEYCLOAK SERVER (v4.4.0.Final)
>>>
>>> Spring Boot App:
>>>
>>> <dependency>
>>> <groupId>org.keycloak.bom</groupId>
>>> <artifactId>keycloak-adapter-bom</artifactId>
>>> <version>4.4.0.Final</version>
>>> <type>pom</type>
>>> <scope>import</scope>
>>> </dependency>
>>>
>>> ...
>>>
>>> <dependency>
>>> <groupId>org.keycloak</groupId>
>>> <artifactId>keycloak-spring-boot-starter</artifactId>
>>> </dependency>
>>>
>>> Config yaml:
>>>
>>> keycloak:
>>> auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth> <https://sso.example.com/auth <https://sso.example.com/auth>> <https://sso.example.com/auth <https://sso.example.com/auth><https://sso.example.com/auth <https://sso.example.com/auth>>>
>>> realm: my-app
>>> public-client: true
>>> resource: my-client
>>> ssl-required: external
>>>
>>>
>>>
>>> Nginx is configured as a reverse proxy with these settings for the spring boot app:
>>>
>>> upstream app {
>>> server 1.2.3.4:8042 <http://1.2.3.4:8042/ <http://1.2.3.4:8042/>> max_fails=1 fail_timeout=60s;
>>> server 1.2.3.4:8042 <http://1.2.3.4:8042/ <http://1.2.3.4:8042/>> max_fails=1 fail_timeout=60s;
>>> }
>>>
>>> server {
>>> listen 443;
>>> server_name www.example.com <http://www.example.com/> <http://www.example.com/ <http://www.example.com/>> <http://www.example.com/ <http://www.example.com/> <http://www.example.com/ <http://www.example.com/>>>;
>>>
>>> ...
>>>
>>> location / {
>>> proxy_set_header Host $host;
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> proxy_set_header X-Forwarded-Host $host;
>>> proxy_set_header X-Forwarded-Port 443;
>>>
>>> proxy_next_upstream error timeout invalid_header http_500;
>>> proxy_connect_timeout 2;
>>>
>>> proxy_pass http://app <http://app/> <http://app/ <http://app/>> <http://app/ <http://app/> <http://app/ <http://app/>>>;
>>> }
>>> }
>>>
>>> Nginx is configured as a reverse proxy with these settings for the keycloak server:
>>>
>>>
>>> upstream sso {
>>> server 1.2.3.4:8080 <http://1.2.3.4:8080/ <http://1.2.3.4:8080/>> max_fails=1 fail_timeout=60s;
>>> server 1.2.3.4:8080 <http://1.2.3.4:8080/ <http://1.2.3.4:8080/>> max_fails=1 fail_timeout=60s;
>>> }
>>>
>>> server {
>>> listen 443;
>>> server_name sso.example.com <http://sso.example.com/> <http://sso.example.com/ <http://sso.example.com/>> <http://sso.example.com/ <http://sso.example.com/> <http://sso.example.com/ <http://sso.example.com/>>>;
>>>
>>> ...
>>>
>>> location / {
>>> proxy_set_header Host $host;
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> proxy_set_header X-Forwarded-Host $host;
>>> proxy_set_header X-Forwarded-Port 443;
>>> proxy_next_upstream error timeout invalid_header http_500;
>>> proxy_connect_timeout 2;
>>>
>>> proxy_pass http://sso <http://sso/> <http://sso/ <http://sso/>> <http://sso/ <http://sso/> <http://sso/ <http://sso/>>>;
>>> }
>>> }
>>>
>>> My keycloak configuration for standalone.xml has these settings:
>>>
>>> Undertow config:
>>>
>>> <server name="default-server">
>>> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" enable-http2="true" proxy-address-forwarding="true"/>
>>> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
>>> <host name="default-host" alias="localhost">
>>> <http-invoker security-realm="ApplicationRealm"/>
>>> </host>
>>> </server>
>>>
>>> ?
>>>
>>> Socket Bindings:
>>>
>>> <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
>>> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
>>> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
>>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>> <socket-binding name="http" port="${jboss.http.port:8080}"/>
>>> <socket-binding name="proxy-https" port="443"/>
>>> <socket-binding name="https" port="${jboss.https.port:8443}"/>
>>> <socket-binding name="txn-recovery-environment" port="4712"/>
>>> <socket-binding name="txn-status-manager" port="4713"/>
>>> <outbound-socket-binding name="mail-smtp">
>>> <remote-destination host="localhost" port="25"/>
>>> </outbound-socket-binding>
>>> </socket-binding-group>
>>>
>>>
>>>
>>>
>>>
>>> Thanks for your help, I must have missed something somewhere. I just can?t for the life of me find out where that port 0 is coming from.
>>>
>>>
>>> Dean Poulin
>>> Owner & Principal Software Engineer
>>> edgewood software
>>> email: dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com> <mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>> <mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com><mailto:dean at edgewoodsoftware.com <mailto:dean at edgewoodsoftware.com>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> <mailto:keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> <https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>>
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> End of keycloak-user Digest, Vol 58, Issue 18
> *********************************************
More information about the keycloak-user
mailing list