<div dir="ltr">I got it working but as you've seen only if everyone contacts the Nginx IP. If the back end <div>servers contact Keycloak directly then the validation fails because the token was issued </div><div>by 'a different server'. </div><div><br></div><div>I want to do the same thing as well. I want the front-end of our application to authenticate</div><div>against the public address then all the back end servers running in Docker contact the </div><div>Keycloak docker container directly. The way I have it now I'm generating a lot of traffic </div><div>between the Docker (actually Rancher) LAN and the external LAN.</div><div><br></div><div>I think we need a concept of service aliases so that a token issued by </div><div>https:my-public-name:443 would still be accepted by <a href="http://keycloak:8080">http://keycloak:8080</a> (as long as it</div><div>was indeed issued by that server under a different alias)<br><div><br></div><div><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font color="#000000"><b>Kevin Thorpe<br></b></font></div>
<div>CTO<br></div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="cid:part1.09070200.07040105@p-i.net"></a> <a href="https://twitter.com/@PI_150" target="_blank"><img src="cid:part3.05090201.04050806@p-i.net"></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> | T: <a value="+442030056750">+44 (0)203 005 6750</a> |
F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150
Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br><b><span style="color:rgb(11,83,148)"> <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000"> <img src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000" height="36" width="64"><img src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000" height="44" width="116"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted with it
are confidential and intended solely for the use of the
individual or entity to whom they are addressed. If you
have received this email in error please notify the system
manager. This message contains confidential information
and is intended only for the individual named. If you are
not the named addressee you should not disseminate,
distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by
mistake and delete this e-mail from your system. If you
are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly
prohibited.</font></p><p><b>"<span style="color:rgb(11,83,148)"><font>SAVE PAPER - THINK BEFORE YOU PRINT!</font></span>" </b></p></div></div></div></div></div>
<br><div class="gmail_quote">On 24 September 2015 at 02:38, Doug Szeto <span dir="ltr"><<a href="mailto:DSzeto@investlab.com" target="_blank">DSzeto@investlab.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">
<p><br>
</p>
Did you ever get the correct settings?
<div><br>
</div>
<div>When I put nginx in front of keycloak, it generates access tokens tied to the nginx server's IP instead of the browser's IP. This is apparent in the admin management pages when you look up the active sessions.
<div><br>
</div>
<div>The problem I'm having is there is a resource server that accepts bearer only tokens. It uses a different server, and now fails the token validation check. Remove the nginx servers and things work fine.</div>
<div><br>
</div>
<div>Any suggestions?</div>
<div>--Doug</div>
<div><br>
</div>
<div><br>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> <a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a> <<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Kevin Thorpe <<a href="mailto:kevin.thorpe@p-i.net" target="_blank">kevin.thorpe@p-i.net</a>><br>
<b>Sent:</b> Friday, September 18, 2015 19:21<br>
<b>To:</b> <a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a><br>
<b>Cc:</b> keycloak-user<br>
<b>Subject:</b> Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems</font>
<div> </div>
</div><div><div class="h5">
<div>
<div dir="ltr">oh I see. I was copying the style of config from the developer who set up the test
<div>Keycloak (assuming wrongly that he knew what he was doing). Setting it to the</div>
<div>actual site worked........ but now I have another problem :-(</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO<br>
</div>
<div><br>
</div>
<div><a href="https://www.p-i.net/" target="_blank"><img src="http://service.svc/s/GetFileAttachment?id=AAMkAGIxOTBjNDM0LTgxNDQtNDYxYi1iYzBmLWYwNDI0MTE5MmVjYwBGAAAAAAA%2F4bdKygj1QJSA616jntzABwAl%2FbE8zyj0T7dK0ot6a0ytAAAAAAEPAAAl%2FbE8zyj0T7dK0ot6a0ytAABm1lBtAAABEgAQAJlVflMenDVNqr8Xkk3dqvU%3D&X-OWA-CANARY=vpd7MF4UF02fGXygyRPIMkDAkk5_xNIYUwzrL32mQChn_0lziostcsaRPWIzvSWhnfk5T2JGB5U."></a>
<a href="https://twitter.com/@PI_150" target="_blank"><img src="http://service.svc/s/GetFileAttachment?id=AAMkAGIxOTBjNDM0LTgxNDQtNDYxYi1iYzBmLWYwNDI0MTE5MmVjYwBGAAAAAAA%2F4bdKygj1QJSA616jntzABwAl%2FbE8zyj0T7dK0ot6a0ytAAAAAAEPAAAl%2FbE8zyj0T7dK0ot6a0ytAABm1lBtAAABEgAQAGGp4TV86TdMgXrTPATB9VA%3D&X-OWA-CANARY=vpd7MF4UF02fGXygyRPIMkDAkk5_xNIYUwzrL32mQChn_0lziostcsaRPWIzvSWhnfk5T2JGB5U."></a><br>
</div>
<div><br>
</div>
<div><a href="http://www.p-i.net/" target="_blank">www.p-i.net</a> | <a href="https://twitter.com/@PI_150" target="_blank">@PI_150</a><br>
</div>
<div><span style="color:rgb(81,81,81)"><br>
</span></div>
<div><span style="color:rgb(81,81,81)">M: <a value="+447921676683">+44 (0)7425 160 368</a> | T:
<a value="+442030056750">+44 (0)203 005 6750</a> | F: <a value="+442077302635">+44(0)207 730 2635</a></span><br>
</div>
<div><font color="#515151">150 Buckingham Palace Road, </font><span style="color:rgb(81,81,81)">London, SW1W 9TR, UK</span></div>
<div><br>
<b><span style="color:rgb(11,83,148)"> <img src="https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/81028530-5f84-4598-825b-f6465a83bae1?t=1416563040000">
<img src="https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/145aebe0-c393-49d7-8e1d-44c3c4d451dc?t=1416563040000">
<img height="36" width="64" src="https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bdad-40c3-b284-102c365c7b85?t=1416563040000"><img height="44" width="116" src="https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7a-8a22-818f518f0459?t=1421160152000"></span></b></div>
<div><font size="1">_____________________________ </font></div>
<p><font size="1">This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains
confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake
and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.</font></p>
<p><b>"<span style="color:rgb(11,83,148)"><font>SAVE PAPER - THINK BEFORE YOU PRINT!</font></span>"
</b></p>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 18 September 2015 at 11:59, Stian Thorgersen <span dir="ltr">
<<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">The * can only be on the end of the valid redirect uri. So you need to specify '<a href="https://my-client.pibenchmark.com/*" target="_blank">https://my-client.pibenchmark.com/*</a>' or simply '*'. The latter not being a good idea obviously.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On 18 September 2015 at 12:42, Kevin Thorpe <span dir="ltr"><<a href="mailto:kevin.thorpe@p-i.net" target="_blank">kevin.thorpe@p-i.net</a>></span> wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr">
<div>Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how to</div>
<div>avoid the invalid parameter: redirect_uri problem.</div>
<div><br>
</div>
<div>Website is <a href="https://my-client.pibenchmark.com" target="_blank">https://my-client.pibenchmark.com</a></div>
<div><br>
</div>
<div>In nginx:</div>
<div>location /auth {</div>
<div> proxy_pass <a href="https://auth-service" target="_blank">https://auth-service</a>;</div>
<div>}</div>
<div><br>
</div>
<div>upstream auth-service {</div>
<div> server my-keycloak:8443;</div>
<div>}</div>
<div><br>
</div>
<div>Then in Keycloak I have valid redirect URIs set to https://*.<a href="http://pibenchmark.com/*" target="_blank">pibenchmark.com/*</a> ie my whole domain. Still getting invalid parameter: redirect_uri though. </div>
<div><br>
</div>
<div>What am I doing wrong? Can I do this this way? I like to have one point of contact with the internet for security reasons.</div>
<span><font color="#888888"><br clear="all">
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><font color="#000000"><b>Kevin Thorpe<br>
</b></font></div>
<div>CTO, PI Limited</div>
</div>
</div>
</div>
</div>
</font></span></div>
<br>
</div>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div></div></div>
</div>
</div>
</div>
</div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>