Did you ever get the correct settings?
When I put nginx in front of keycloak, it generates access tokens tied to the nginx
server's IP instead of the browser's IP. This is apparent in the admin management
pages when you look up the active sessions.
The problem I'm having is there is a resource server that accepts bearer only tokens.
It uses a different server, and now fails the token validation check. Remove the nginx
servers and things work fine.
Any suggestions?
--Doug
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Kevin Thorpe <kevin.thorpe(a)p-i.net>
Sent: Friday, September 18, 2015 19:21
To: stian(a)redhat.com
Cc: keycloak-user
Subject: Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems
oh I see. I was copying the style of config from the developer who set up the test
Keycloak (assuming wrongly that he knew what he was doing). Setting it to the
actual site worked........ but now I have another problem :-(
Kevin Thorpe
CTO
[
X]<https://www.p-i.net/> [X] <
https://twitter.com/@PI_150>
www.p-i.net<http://www.p-i.net/> | @PI_150<https://twitter.com/@PI_150>
M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
150 Buckingham Palace Road, London, SW1W 9TR, UK
[
https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/8102853...]
[
https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/1...]
[
https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bd...]
[
https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7...]
_____________________________
This email and any files transmitted with it are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
email in error please notify the system manager. This message contains confidential
information and is intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail. Please notify the
sender immediately by e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited.
"SAVE PAPER - THINK BEFORE YOU PRINT!"
On 18 September 2015 at 11:59, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
The * can only be on the end of the valid redirect uri. So you need to specify
'https://my-client.pibenchmark.com/*' or simply '*'. The latter not being
a good idea obviously.
On 18 September 2015 at 12:42, Kevin Thorpe
<kevin.thorpe@p-i.net<mailto:kevin.thorpe@p-i.net>> wrote:
Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how
to
avoid the invalid parameter: redirect_uri problem.
Website is
https://my-client.pibenchmark.com
In nginx:
location /auth {
proxy_pass
https://auth-service;
}
upstream auth-service {
server my-keycloak:8443;
}
Then in Keycloak I have valid redirect URIs set to
https://*.pibenchmark.com/*<http://pibenchmark.com/*> ie my whole domain. Still
getting invalid parameter: redirect_uri though.
What am I doing wrong? Can I do this this way? I like to have one point of contact with
the internet for security reasons.
Kevin Thorpe
CTO, PI Limited
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user