<div dir="ltr">Ended up figuring this out, just to save whatever poor soul has to go down the same/similar path here's what I did. I'm curious why I didn't get any errors when running keycloak with debug logging turned on as this must be some kind of host re-write problem with wildfly/keycloak. <br><div><br></div><div>First the only configuration I had to set in standalone.xml was (I removed all the other custom configurations I had in place the rest is the vanilla standalone.xml )</div><div><font face="monospace, monospace" size="1"><http-listener name="http-default" socket-binding="http" redirect-socket="https" </font><span style="background-color:rgb(255,255,0)"><span style="font-family:monospace,monospace;font-size:x-small">proxy-address-forwarding="</span><font color="#ff0000" style="font-family:monospace,monospace;font-size:x-small">true</font><span style="font-family:monospace,monospace;font-size:x-small">"</span></span><span style="font-family:monospace,monospace;font-size:x-small">/></span><br></div><div><span style="font-family:monospace,monospace;font-size:x-small"><br></span></div><div><span style="font-family:monospace,monospace;font-size:x-small">Wildfly10 Docs for this: </span><font face="monospace, monospace" size="1"><a href="https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration">https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration</a></font></div><div><span style="font-family:monospace,monospace;font-size:x-small"><br></span></div><div><font face="arial, helvetica, sans-serif">Nginx configuration:</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><div>server {</div><div> listen 80;</div><div> server_name <a href="http://keycloak_testing.leveldatadevelopment.com">keycloak_testing.leveldatadevelopment.com</a>;</div><div> return 301 https://$host$request_uri;</div><div>}</div><div><br></div><div>server {</div><div> listen 443 ssl;</div><div> server_name <a href="http://keycloak_testing.leveldatadevelopment.com">keycloak_testing.leveldatadevelopment.com</a>;</div><div><br></div><div> ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt;</div><div> ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key;</div><div><br></div><div> location / {</div><div> proxy_set_header <b>Host $host</b>;</div><div> proxy_set_header X-Real-IP $remote_addr; #<b>Not sure this is needed for wildfly/keycloak</b></div><div> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</div><div> proxy_set_header X-Forwarded-Proto $scheme;</div><div> proxy_redirect http:// https://;</div><div><br></div><div> proxy_pass <a href="http://0.0.0.0:8080">http://0.0.0.0:8080</a>;</div><div> }</div><div>}</div><div><br></div><div><br></div><div>Note the Host different, with Host $host:$server_port; I receive a white page when logging into the admin URL. <b>Why would this happen</b>? Only mention of the host header I could find in the wildFly documentation is <a href="https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration">https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration</a></div><div><br></div><div><br></div><div>Also to get past the invalid_redirect_uri issue, </div><div><br></div><div><ol><li>Run keycloak locally</li><li>Go to the Clients settings in the Master Realm</li><li>Click edit on the security-admin-console client id (You may also have to do this with the account client ID I'm not certain)</li><li>Add valid redirect URI's for your new domain, for example <a href="https://website.com/*">https://website.com/*</a> (Docs tell you to be as limited as possible with these so in production limit down your redirect URI's as much as possible)</li></ol><div>Hope this helps someone in the future! What do you think? Should this be added to the documentation somewhere or should some kind of error be thrown in this circumstance? I'm not certain if it's Wildfly or keycloak causing this to happen I didn't dig quite hard enough to find out :( </div></div><div><br></div><div><br></div><div><br></div></font></div><div><span style="font-family:monospace,monospace;font-size:x-small"><br></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch <span dir="ltr"><<a href="mailto:derek.visch@gmail.com" target="_blank">derek.visch@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr">Trying to setup reverse SSL for keycloak. Having issues finding documentation about this, it's mentioned in <a href="https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html" target="_blank">https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html</a> but the extra detail that's supposed to be in <a href="https://keycloak.gitbooks.io/server-adminstration-guide/content/" target="_blank">https://keycloak.gitbooks.io/server-adminstration-guide/content/</a> I could not find in regards to reverse SSL proxys.<div><br></div><div>Regardless I ended up following <a href="http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html</a> </div><div><br></div><div>From that previous mailling list post:<br><br></div><div><pre style="color:rgb(0,0,0)">Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group></pre></div><div><br></div><div><br></div><div>but now when I go to log on to the admin console I get "We're sorry ... Invalid aparameter: redirect uri". </div><div><br></div><div><br></div><div><br></div><div>Tried stack overflow / google / IRC. No luck so far. </div><div><br></div><div>Any help would be appreciated :D</div><div><br></div><div>Thanks</div><div><br></div><div><br><div><div dir="ltr"><div><div dir="ltr"></div></div></div></div>
</div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><p style="color:rgb(0,0,0);font-family:"times new roman";font-size:medium"><b>Derek Visch</b> / Software Developer / Network Technician <br><a href="mailto:bipema@leveldata.com" target="_blank">dvisch@leveldata.com</a> / Direct: 269-488-2037</p><p style="color:rgb(0,0,0);font-family:"times new roman";font-size:medium"><b>Level Data Inc.</b> <br>Office: 866.511.3282 <br>4787 Campus Dr. | Kalamazoo, MI 49008 <br><a href="http://www.leveldata.com/" target="_blank">http://www.leveldata.com</a></p></div></div></div></div>
</div></div>