Re: [keycloak-user] "Invalid parameter: redirect_uri"

Figured it out - it's a case-sensitivity issue: https://ApimanLoadBalancer.elb.amazonaws.com/apimanui<https://[apimanL... Fails to match https://apimanloadbalancer.elb.amazonaws.com/apimanui<https://apimanlo... I believe subdomains are case-insensitive. Should I raise an issue on this? From: "pblair@clearme.com<mailto:pblair@clearme.com>" <pblair@clearme.com<mailto:pblair@clearme.com>> Date: Mon, 4 Jan 2016 19:32:54 -0500 To: "pblair@clearme.com<mailto:pblair@clearme.com>" <pblair@clearme.com<mailto:pblair@clearme.com>>, keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] "Invalid parameter: redirect_uri" I should mention that this happens whether or not I have https://[apimanLoadBalancer]<https://[apimanLoadBalancer]/apimanui> in the Root URL field for the Apimanui client, or whether or not I have https://[apimanLoadBalancer]/apimanui/* in the Valid Redirect URIs, or both. However, if they are present I no longer see the DEBUG line "replacing relative valid redirect with..."; I only see the WARN message with the failure. Also, it appears that the URL encoding is a non-issue; at least, I see the URLs encoded properly in the browser URL bar even if the "inspect" formats them with slashes and colons. From: "pblair@clearme.com<mailto:pblair@clearme.com>" <pblair@clearme.com<mailto:pblair@clearme.com>> Date: Tue, 5 Jan 2016 00:16:36 +0000 To: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: [keycloak-user] "Invalid parameter: redirect_uri" I am using Keycloak with the apiman API manager. Both are on AWS and are behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When I request the apiman admin UI page (https://[apimanLoadBalancer]/apimanui), I get redirected to the following URL: https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect... Keycloak then displays the error "We're Sorry... Invalid parameter: redirect_uri" In the Keycloak log I see: DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-7) replacing relative valid redirect with: https://[KeycloakLoadBalancer]/apimanui/* WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], error=invalid_redirect_uri, response_type=code, redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html, response_mode=query This looks to me as though Keycloak thinks that the redirect URI is a relative path. I also notice that the query string parameters for redirect_uri are not URL encoded by apiman. Would this be the source of the problem? _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user