4:13 a.m.
I got it working but as you've seen only if everyone contacts the Nginx IP.
If the back end
servers contact Keycloak directly then the validation fails because the
token was issued
by 'a different server'.
I want to do the same thing as well. I want the front-end of our
application to authenticate
against the public address then all the back end servers running in Docker
contact the
Keycloak docker container directly. The way I have it now I'm generating a
lot of traffic
between the Docker (actually Rancher) LAN and the external LAN.
I think we need a concept of service aliases so that a token issued by
https:my-public-name:443 would still be accepted by http://keycloak:8080
(as long as it
was indeed issued by that server under a different alias)
*Kevin Thorpe*
CTO
<https://www.p-i.net/> <https://twitter.com/@PI_150>
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK
_____________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
*"SAVE PAPER - THINK BEFORE YOU PRINT!" *
On 24 September 2015 at 02:38, Doug Szeto <DSzeto(a)investlab.com> wrote:
Did you ever get the correct settings?
When I put nginx in front of keycloak, it generates access tokens tied to
the nginx server's IP instead of the browser's IP. This is apparent in the
admin management pages when you look up the active sessions.
The problem I'm having is there is a resource server that accepts bearer
only tokens. It uses a different server, and now fails the token validation
check. Remove the nginx servers and things work fine.
Any suggestions?
--Doug
------------------------------
*From:* keycloak-user-bounces(a)lists.jboss.org <
keycloak-user-bounces(a)lists.jboss.org> on behalf of Kevin Thorpe <
kevin.thorpe(a)p-i.net>
*Sent:* Friday, September 18, 2015 19:21
*To:* stian(a)redhat.com
*Cc:* keycloak-user
*Subject:* Re: [keycloak-user] Wrapping Keycloak under Nginx -
redirect_uri problems
oh I see. I was copying the style of config from the developer who set up
the test
Keycloak (assuming wrongly that he knew what he was doing). Setting it to
the
actual site worked........ but now I have another problem :-(
*Kevin Thorpe *
CTO
<https://www.p-i.net/> <https://twitter.com/@PI_150>
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK
_____________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
*"SAVE PAPER - THINK BEFORE YOU PRINT!" *
On 18 September 2015 at 11:59, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> The * can only be on the end of the valid redirect uri. So you need to
> specify 'https://my-client.pibenchmark.com/*' or simply '*'. The
latter
> not being a good idea obviously.
>
> On 18 September 2015 at 12:42, Kevin Thorpe <kevin.thorpe(a)p-i.net> wrote:
>
>> Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't
>> work out how to
>> avoid the invalid parameter: redirect_uri problem.
>>
>> Website is https://my-client.pibenchmark.com
>>
>> In nginx:
>> location /auth {
>> proxy_pass https://auth-service;
>> }
>>
>> upstream auth-service {
>> server my-keycloak:8443;
>> }
>>
>> Then in Keycloak I have valid redirect URIs set to https://*.
>> pibenchmark.com/* ie my whole domain. Still getting invalid parameter:
>> redirect_uri though.
>>
>> What am I doing wrong? Can I do this this way? I like to have one point
>> of contact with the internet for security reasons.
>>
>>
>> *Kevin Thorpe *
>> CTO, PI Limited
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
