<div dir="ltr"><div><div>Oh, I am sorry. I have overlooked the notice about the need of changing the root context manually in docs. The deployed Keycloak seems to be working smoothly now.<br><br></div>I shall create issues for both problems I encountered.<br><br></div>Thanks a lot for your support.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 13, 2016 at 7:24 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The clients are created with the initial context path. If you change the context path you currently have to manually go to the admin console and change it first. Both issues you've encountered are not ideal and you can create jira issues for those.<div><div class="h5"><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 13 January 2016 at 17:18, Andy Yar <span dir="ltr"><<a href="mailto:andyyar66@gmail.com" target="_blank">andyyar66@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>OK, I forgot to mention I used to have the Keycloak set to run on the root context. So I removed the root context mapping set the "standalone.xml" to "sso" and customized the nginx settings accordingly.<br><br></div><div>Now I am able to enter the admin/, although redirecting to the login form for the master realm ends with an error - "Invalid parameter: redirect_uri". Apparently the context path "sso/" is ignored by a security pattern.<br><br></div><div>Log dump:<br>2016-01-13 17:06:21,858 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-15) replacing relative valid redirect with: <a href="https://domain.foo/auth/admin/master/console/*" target="_blank">https://domain.foo/auth/admin/master/console/*</a><br>2016-01-13 17:06:21,876 WARN [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=x.x.x.x, error=invalid_redirect_uri, response_type=code, redirect_uri=<a href="https://domain.foo/sso/admin/master/console/" target="_blank">https://domain.foo/sso/admin/master/console/</a>, response_mode=fragment<br><br></div><div>Thanks<br></div><div><br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 13, 2016 at 2:44 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Looks like it may be a bug caused by context-path on the server being different than context-path on the reverse proxy. <div><br></div><div>Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in standalone.xml to "sso". If that works please create a bug.</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On 13 January 2016 at 14:27, Andy Yar <span dir="ltr"><<a href="mailto:andyyar66@gmail.com" target="_blank">andyyar66@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr"><div><div><div><div><div><div><span style="font-family:arial,helvetica,sans-serif">Hello,<br></span></div><span style="font-family:arial,helvetica,sans-serif">I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy (nginx). The WildFly is configured for proxying according to the Keycloak guide and the proxy sends the needed custom HTTP headers.<br><br></span></div><span style="font-family:arial,helvetica,sans-serif">I have a public SSL secured domain and nginx proxying requests to internal WildFly server. I would like to use URL: <a href="https://domain.foo/sso/" target="_blank">https://domain.foo/sso/</a> to access the Keycloak (internal WildFly). I guess the context path (sso/) is important here.<br><br></span></div><span style="font-family:arial,helvetica,sans-serif">Accessing the address I can reach the Keycloak default welcome page. However, a GET <a href="https://domain.foo/sso/admin" target="_blank">https://domain.foo/sso/admin</a> results in 302 to<code> <span style="font-family:arial,helvetica,sans-serif">Location:</span> </code></span><code><span style="font-family:arial,helvetica,sans-serif"><a href="https://domain.foo/admin/master/console/" target="_blank">https://domain.foo/admin/master/console/</a>. Obviously this redirect fails because its Location misses the needed context path (sso/). Adding the context path to a request manually results in a 200 but following resources fail to download because of the missing context path part of URL.<br><br></span></code></div><code><span style="font-family:arial,helvetica,sans-serif">Is my configuration wrong? Is there a way how the original base URL can be set? Is it even possible to have it behind a reverse proxy not running at root context? Is the origin detection broken?<br><br></span></code></div><code><span style="font-family:arial,helvetica,sans-serif">Thanks in advance<span><font color="#888888"><br></font></span></span></code></div><span><font color="#888888"><code><span style="font-family:arial,helvetica,sans-serif">Andy<br></span></code></font></span></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div></div></div>
</blockquote></div><br></div>