[keycloak-user] Invalid parameter: redirect_uri behind reverse proxy

Wed Sep 26 04:13:20 EDT 2018

One thing I see is that your X-Forwarded-Proto header is wrong, it should
be https and not http. Please take a look at the documentation at
https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses
for how to configure your reverse-proxy. Also make sure that you have set
"proxy-address-forwarding=true" in your standalone.xml configuration of
Wildfly.

Greetings

Henning

Am Di., 25. Sep. 2018 um 18:37 Uhr schrieb Corentin Dupont <
corentin.dupont at gmail.com>:

> Hello,
> wWhen opening the admin console: https://keycloak.mysite.com/auth/admin/.
>
> The page is redirecting to:
>
> https://keycloak.mysite.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fkeycloak.mysite.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=580747dc-8471-40be-8d9c-e63af68cf605&response_mode=fragment&response_type=code&scope=openid&nonce=28c85baa-6c76-44d9-8f4a-796a58d29383
>
> But I get this message:
> Invalid parameter: redirect_uri
>
> It seems that keycloak doesn't like the https in the redirect. Can it be?
>
>
> My Keycloak is behind a reverse proxy.
> I setup the following tags in standalone.xml:
>
> <http-listener name="default" socket-binding="http" enable-http2="true"
> proxy-address-forwarding="true" redirect-socket="proxy-https"/>
> <socket-binding name="proxy-https" port="443"/>
>
> My reverse proxy is also setting headers: Host, X-Real-IP, X-Forwarded-For,
> X-Forwarded-Proto.
>
> Using tcpdump, I can see the following headers:
> GET
>
> /auth/resources/4.4.0.final/login/keycloak/node_modules/patternfly/dist/fonts/OpenSans-Light-webfont.woff2
> HTTP/1.0
> Host: keycloak.staging.waziup.io
> X-Real-IP: 18.195.197.182
> X-Forwarded-For: 217.77.82.229, 18.195.197.182
> X-Forwarded-Proto: http
> Connection: close
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101
> Firefox/62.0
> Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: identity
> Referer:
>
> https://keycloak.staging.waziup.io/auth/resources/4.4.0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly.css
> Cookie: _ga=GA1.2.823033289.1537866165; _gid=GA1.2.861449812.1537866165
> Pragma: no-cache
> Cache-Control: no-cache
>
> Are they correct?
> Thanks a lot
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 

-----------

Henning Waack | IT Consultant

codecentric AG | Hochstraße 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz

Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche
und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie
bitte sofort den Absender und löschen Sie diese E-Mail und evtl.
beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen
evtl. beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.