<div dir="ltr">Thanks for pointing me right directon. I have already had the Wildfly side set up correctly. However, client app hosting Tomcats were not aware of being behind the proxy. Everything works smooth after adding following settings to my Tomcat's Connector in server.xml.<br><pre class=""><span class=""></span><span class="">proxyName</span><span class="">=</span><span class="">"<a href="http://proxyhostname.com">proxyhostname.com</a>"</span><span class=""> </span><span class="">proxyPort</span><span class="">=</span><span class="">"443"</span><span class=""> </span><span class="">scheme</span><span class="">=</span><span class="">"https"</span><span class=""></span></pre></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 20, 2016 at 12:26 AM, Scott Rossillo <span dir="ltr"><<a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">It seems Wildfly isn’t aware of the fact that Nginx is handling secure connections.<div><br></div><div>Take a look at these posts:</div><div><br></div><div><a href="http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html</a></div><div><a href="http://lists.jboss.org/pipermail/keycloak-user/2015-September/003104.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/2015-September/003104.html</a></div><div><br></div><div><br><div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Scott Rossillo</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Smartling | Senior Software Engineer</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="mailto:srossillo@smartling.com" target="_blank">srossillo@smartling.com</a></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
</div>
</div></div><br><div><blockquote type="cite"><div><div class="h5"><div>On Feb 19, 2016, at 10:56 AM, Andy Yar <<a href="mailto:andyyar66@gmail.com" target="_blank">andyyar66@gmail.com</a>> wrote:</div><br></div></div><div><div><div class="h5"><div dir="ltr"><div><div><div><div><div><div><div>Howdy,<br></div>I use 1.8.0-Final integrated with Spring Security (which itself is integrated into Grails) using OpenID Connect method. The Keycloak and all integrated apps run behind a nginx SSL reverse proxy. Realm's SSL is set to: "ssl-required": "external".<br><br></div>My issue is related to initial "redirect_uri" generation. <br><br></div>When I'm logged out and try to access a protected resource via a HTTPS request, I receive 302 response with Location URL starting with plain HTTP scheme. Apparently the Location goes to the "redirect_uri" attribute and therefore it tries to redirect me back here after a successful login.<br><br></div>Of course, it is possible to add both HTTP and HTTPS schemas as allowed redirect URI patterns. However, application's security gets lowered by that plain HTTP redirect...<br><br></div>Is there any easy solution for non-SSL Keycloak/apps running behind SSL reverse proxy? I haven't looked into the source code but it seems as a plain redirect which wouldn't be schema-aware.<br><br></div>Thanks in advance!<br></div>Andy<br></div></div></div>
_______________________________________________<br>keycloak-user mailing list<br><a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div></blockquote></div><br></div></div></blockquote></div><br></div>