<div dir="ltr">Pleased you found out what's going on. Please create an issue.</div><div class="gmail_extra"><br><div class="gmail_quote">On 5 January 2016 at 01:40, Paul Blair <span dir="ltr"><<a href="mailto:pblair@clearme.com" target="_blank">pblair@clearme.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>Figured it out — it's a case-sensitivity issue:</div>
<div><br>
</div>
<div><a>https://ApimanLoadBalancer.elb.amazonaws.com/apimanui</a>/*</div>
<div><br>
</div>
<div>Fails to match</div>
<div><br>
</div>
<div><a href="https://apimanloadbalancer/apimanui" target="_blank">https://apimanloadbalancer.elb.amazonaws.com/apimanui</a>/*</div>
<div><br>
</div>
<div>I believe subdomains are case-insensitive. Should I raise an issue on this?</div>
<div><br>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>"<a href="mailto:pblair@clearme.com" target="_blank">pblair@clearme.com</a>" <<a href="mailto:pblair@clearme.com" target="_blank">pblair@clearme.com</a>><br>
<span style="font-weight:bold">Date: </span>Mon, 4 Jan 2016 19:32:54 -0500<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:pblair@clearme.com" target="_blank">pblair@clearme.com</a>" <<a href="mailto:pblair@clearme.com" target="_blank">pblair@clearme.com</a>>, keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] "Invalid parameter: redirect_uri"<br>
</div><div><div class="h5">
<div><br>
</div>
<div>
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>I should mention that this happens whether or not I have <a>https://[apimanLoadBalancer]</a> in the Root URL field for the Apimanui client, or whether or not I have <a>https://[apimanLoadBalancer]/apimanui</a>/*
in the Valid Redirect URIs, or both. However, if they are present I no longer see the DEBUG line "replacing relative valid redirect with…"; I only see the WARN message with the failure.</div>
<div><br>
</div>
<div>Also, it appears that the URL encoding is a non-issue; at least, I see the URLs encoded properly in the browser URL bar even if the "inspect" formats them with slashes and colons.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>"<a href="mailto:pblair@clearme.com" target="_blank">pblair@clearme.com</a>" <<a href="mailto:pblair@clearme.com" target="_blank">pblair@clearme.com</a>><br>
<span style="font-weight:bold">Date: </span>Tue, 5 Jan 2016 00:16:36 +0000<br>
<span style="font-weight:bold">To: </span>keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>[keycloak-user] "Invalid parameter: redirect_uri"<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>I am using Keycloak with the apiman API manager. Both are on AWS and are behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When I request the apiman admin UI page (<a>https://[apimanLoadBalancer]/apimanui</a>),
I get redirected to the following URL:</div>
<div><br>
</div>
<div> <a>
https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=</a><a>https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true</a></div>
<div><br>
</div>
<div>Keycloak then displays the error "We're Sorry… Invalid parameter: redirect_uri"</div>
<div><br>
</div>
<div>In the Keycloak log I see:</div>
<div><br>
</div>
<div>
<div> DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-7) replacing relative valid redirect with:
<a>https://[KeycloakLoadBalancer]/apimanui/*</a></div>
<div> WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], error=invalid_redirect_uri, response_type=code, redirect_uri=<a>https://[apimanLoadBalancer]/apimanui/index.html</a>,
response_mode=query</div>
</div>
<div><br>
</div>
<div>This looks to me as though Keycloak thinks that the redirect URI is a relative path. I also notice that the query string parameters for redirect_uri are not URL encoded by apiman. Would this be the source of the problem?</div>
</div>
</div>
_______________________________________________ keycloak-user mailing list <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">
keycloak-user@lists.jboss.org</a> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">
https://lists.jboss.org/mailman/listinfo/keycloak-user</a></span></div>
</div>
</div></div></span>
</div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>