<div dir="ltr">Excellent, just tested it out and it is working as expected.<div><br></div><div>I also had to add &#39;RequestHeader set X-Forwarded-Proto &quot;https&quot;&#39; to my Apache virtualhost configuration.</div>
<div><br></div><div>Some documentation somewhere that this is required would be useful for the next guy.</div><div><br></div><div>Thanks,</div><div>Josh</div>







</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 17, 2014 at 4:58 AM, Stian Thorgersen <span dir="ltr">&lt;<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This is quite likely an issue with either Apache or WildFly not being configured correctly.<br>
<br>
Have you enabled proxy-address-forwarding in WildFly/Undertow (see <a href="https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration" target="_blank">https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration</a> for more info)?<br>

<div class="im HOEnZb"><br>
----- Original Message -----<br>
&gt; From: &quot;Josh&quot; &lt;<a href="mailto:smysnk@gmail.com">smysnk@gmail.com</a>&gt;<br>
</div><div class="HOEnZb"><div class="h5">&gt; To: &quot;Stian Thorgersen&quot; &lt;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&gt;<br>
&gt; Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; Sent: Monday, 16 June, 2014 4:42:27 PM<br>
&gt; Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse proxies<br>
&gt;<br>
&gt; The first would be at the &quot;Welcome to Keycloak&quot; page, clicking on<br>
&gt; Administration Console.  The link itself is not redirecting to http, but as<br>
&gt; part of the login page it looks like it forwards back to http. (eg.<br>
&gt; <a href="https://auth.psidox.com/auth/" target="_blank">https://auth.psidox.com/auth/</a> -&gt; <a href="https://auth.psidox.com/auth/admin/" target="_blank">https://auth.psidox.com/auth/admin/</a> -&gt;<br>
&gt; <a href="http://auth.psidox.com/auth/admin/master/console" target="_blank">http://auth.psidox.com/auth/admin/master/console</a> -&gt;<br>
&gt; <a href="http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&amp;redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&amp;state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&amp;response_type=code" target="_blank">http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&amp;redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&amp;state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&amp;response_type=code</a><br>

&gt; )<br>
&gt;<br>
&gt; I haven&#39;t really gotten too far beyond the login page.<br>
&gt;<br>
&gt; - Josh<br>
&gt;<br>
&gt;<br>
&gt; On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen &lt;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&gt; wrote:<br>
&gt;<br>
&gt; &gt; When does it forward the browser from https to http?<br>
&gt; &gt;<br>
&gt; &gt; As Bill pointed out, does auth-server-url in your keycloak.json point to<br>
&gt; &gt; your proxy with https?<br>
&gt; &gt;<br>
&gt; &gt; What adapter are you using?<br>
&gt; &gt;<br>
&gt; &gt; ----- Original Message -----<br>
&gt; &gt; &gt; From: &quot;Josh&quot; &lt;<a href="mailto:smysnk@gmail.com">smysnk@gmail.com</a>&gt;<br>
&gt; &gt; &gt; To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; &gt; &gt; Sent: Friday, 13 June, 2014 8:41:32 AM<br>
&gt; &gt; &gt; Subject: [keycloak-user] Significant SSL issue: Support for reverse<br>
&gt; &gt; proxies<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Hi guys,<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; So looking to help solve this issue possibly or at least get it on the<br>
&gt; &gt; radar,<br>
&gt; &gt; &gt; I&#39;ve reported it here: <a href="https://issues.jboss.org/browse/KEYCLOAK-497" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-497</a><br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; To breifly recap the issue, when logging in via reverse proxy it keeps<br>
&gt; &gt; &gt; forwarding the browser from https back to regular http.<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Eg. Apache virtualhost configured as:<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &lt;VirtualHost *:443&gt;<br>
&gt; &gt; &gt; ServerName <a href="http://auth.domain.com" target="_blank">auth.domain.com</a><br>
&gt; &gt; &gt; SSLEngine On<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &lt;Proxy *&gt;<br>
&gt; &gt; &gt; Order deny,allow<br>
&gt; &gt; &gt; Allow from all<br>
&gt; &gt; &gt; &lt;/Proxy&gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; ProxyVia Off<br>
&gt; &gt; &gt; ProxyPreserveHost On<br>
&gt; &gt; &gt; ProxyRequests Off<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; ProxyPass / <a href="http://keycloak.core.docker:8080/" target="_blank">http://keycloak.core.docker:8080/</a><br>
&gt; &gt; &gt; ProxyPassReverse / <a href="http://keycloak.core.docker:8080/" target="_blank">http://keycloak.core.docker:8080/</a><br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &lt;/VirtualHost&gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; If I were to start looking into the code base, where would I start?<br>
&gt; &gt; Trying to<br>
&gt; &gt; &gt; find for example during the login process how the forward url is formed?<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Thanks,<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Josh<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; keycloak-user mailing list<br>
&gt; &gt; &gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt; &gt;<br>
&gt;<br>
</div></div></blockquote></div><br></div>