<div dir="ltr"><div style="font-size:12.8px">OK, I forgot to mention I used to have the Keycloak set to run on the root context. So I removed the root context mapping set the "standalone.xml" to "sso" and customized the nginx settings accordingly.<br><br></div><div style="font-size:12.8px">Now I am able to enter the admin/, although redirecting to the login form for the master realm ends with an error - "Invalid parameter: redirect_uri". Apparently the context path "sso/" is ignored by a security pattern.<br><br></div><div style="font-size:12.8px">Log dump:<br>2016-01-13 17:06:21,858 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-15) replacing relative valid redirect with: <a href="https://domain.foo/auth/admin/master/console/*" target="_blank">https://domain.foo/auth/admin/master/console/*</a><br>2016-01-13 17:06:21,876 WARN [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=x.x.x.x, error=invalid_redirect_uri, response_type=code, redirect_uri=<a href="https://domain.foo/sso/admin/master/console/" target="_blank">https://domain.foo/sso/admin/master/console/</a>, response_mode=fragment<br><br></div><div style="font-size:12.8px">Thanks</div></div><div id="DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><table style="border-top:1px solid #aaabb6;margin-top:30px">
        <tr>
                <td style="width:105px;padding-top:15px">
                        <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank"><img src="https://ipmcdn.avast.com/images/logo-avast-v1.png" style="width: 90px; height:33px;"></a>
                </td>
                <td style="width:470px;padding-top:20px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Tento email byl odeslán z počítače bez virů, chráněného programem Avast. <br><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank" style="color:#4453ea">www.avast.com</a>                 </td>
        </tr>
</table>
<a href="#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 13, 2016 at 2:44 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Looks like it may be a bug caused by context-path on the server being different than context-path on the reverse proxy. <div><br></div><div>Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in standalone.xml to "sso". If that works please create a bug.</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 13 January 2016 at 14:27, Andy Yar <span dir="ltr"><<a href="mailto:andyyar66@gmail.com" target="_blank">andyyar66@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><div><div><div><div><div><span style="font-family:arial,helvetica,sans-serif">Hello,<br></span></div><span style="font-family:arial,helvetica,sans-serif">I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy (nginx). The WildFly is configured for proxying according to the Keycloak guide and the proxy sends the needed custom HTTP headers.<br><br></span></div><span style="font-family:arial,helvetica,sans-serif">I have a public SSL secured domain and nginx proxying requests to internal WildFly server. I would like to use URL: <a href="https://domain.foo/sso/" target="_blank">https://domain.foo/sso/</a> to access the Keycloak (internal WildFly). I guess the context path (sso/) is important here.<br><br></span></div><span style="font-family:arial,helvetica,sans-serif">Accessing the address I can reach the Keycloak default welcome page. However, a GET <a href="https://domain.foo/sso/admin" target="_blank">https://domain.foo/sso/admin</a> results in 302 to<code> <span style="font-family:arial,helvetica,sans-serif">Location:</span> </code></span><code><span style="font-family:arial,helvetica,sans-serif"><a href="https://domain.foo/admin/master/console/" target="_blank">https://domain.foo/admin/master/console/</a>. Obviously this redirect fails because its Location misses the needed context path (sso/). Adding the context path to a request manually results in a 200 but following resources fail to download because of the missing context path part of URL.<br><br></span></code></div><code><span style="font-family:arial,helvetica,sans-serif">Is my configuration wrong? Is there a way how the original base URL can be set? Is it even possible to have it behind a reverse proxy not running at root context? Is the origin detection broken?<br><br></span></code></div><code><span style="font-family:arial,helvetica,sans-serif">Thanks in advance<span><font color="#888888"><br></font></span></span></code></div><span><font color="#888888"><code><span style="font-family:arial,helvetica,sans-serif">Andy<br></span></code></font></span></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div>