<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Figured it out — it's a case-sensitivity issue:</div>
<div><br>
</div>
<div><a href="https://[apimanLoadBalancer]/apimanui">https://ApimanLoadBalancer.elb.amazonaws.com/apimanui</a>/*</div>
<div><br>
</div>
<div>Fails to match</div>
<div><br>
</div>
<div><a href="https://apimanloadbalancer/apimanui">https://apimanloadbalancer.elb.amazonaws.com/apimanui</a>/*</div>
<div><br>
</div>
<div>I believe subdomains are case-insensitive. Should I raise an issue on this?</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>"<a href="mailto:pblair@clearme.com">pblair@clearme.com</a>" <<a href="mailto:pblair@clearme.com">pblair@clearme.com</a>><br>
<span style="font-weight:bold">Date: </span>Mon, 4 Jan 2016 19:32:54 -0500<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:pblair@clearme.com">pblair@clearme.com</a>" <<a href="mailto:pblair@clearme.com">pblair@clearme.com</a>>, keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] "Invalid parameter: redirect_uri"<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>I should mention that this happens whether or not I have <a href="https://[apimanLoadBalancer]/apimanui">https://[apimanLoadBalancer]</a> in the Root URL field for the Apimanui client, or whether or not I have <a href="https://[apimanLoadBalancer]/apimanui">https://[apimanLoadBalancer]/apimanui</a>/*
in the Valid Redirect URIs, or both. However, if they are present I no longer see the DEBUG line "replacing relative valid redirect with…"; I only see the WARN message with the failure.</div>
<div><br>
</div>
<div>Also, it appears that the URL encoding is a non-issue; at least, I see the URLs encoded properly in the browser URL bar even if the "inspect" formats them with slashes and colons.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>"<a href="mailto:pblair@clearme.com">pblair@clearme.com</a>" <<a href="mailto:pblair@clearme.com">pblair@clearme.com</a>><br>
<span style="font-weight:bold">Date: </span>Tue, 5 Jan 2016 00:16:36 +0000<br>
<span style="font-weight:bold">To: </span>keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>[keycloak-user] "Invalid parameter: redirect_uri"<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>I am using Keycloak with the apiman API manager. Both are on AWS and are behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When I request the apiman admin UI page (<a href="https://[apimanLoadBalancer]/apimanui">https://[apimanLoadBalancer]/apimanui</a>),
I get redirected to the following URL:</div>
<div><br>
</div>
<div> <a href="https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=">
https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=</a><a href="https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true">https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true</a></div>
<div><br>
</div>
<div>Keycloak then displays the error "We're Sorry… Invalid parameter: redirect_uri"</div>
<div><br>
</div>
<div>In the Keycloak log I see:</div>
<div><br>
</div>
<div>
<div> DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-7) replacing relative valid redirect with:
<a href="https://[KeycloakLoadBalancer]/apimanui/*">https://[KeycloakLoadBalancer]/apimanui/*</a></div>
<div> WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], error=invalid_redirect_uri, response_type=code, redirect_uri=<a href="https://[apimanLoadBalancer]/apimanui/index.html">https://[apimanLoadBalancer]/apimanui/index.html</a>,
response_mode=query</div>
</div>
<div><br>
</div>
<div>This looks to me as though Keycloak thinks that the redirect URI is a relative path. I also notice that the query string parameters for redirect_uri are not URL encoded by apiman. Would this be the source of the problem?</div>
</div>
</div>
_______________________________________________ keycloak-user mailing list <a href="mailto:keycloak-user@lists.jboss.org">
keycloak-user@lists.jboss.org</a> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">
https://lists.jboss.org/mailman/listinfo/keycloak-user</a></span></div>
</div>
</span>
</body>
</html>