I also use KeyCloak Proxy, pointing to many port numbers that would blow up if they were
included in redirect urls. I haven't had any problems, so I'm thinking this may be
an issue with your proxy configuration file. Can you share what that looks like?
Architect, Red Hat Consulting
----- Original Message -----
We have the following set up with two DMZ boxes, one running a single
KeyCloak security proxy and sending requests to a local NGINX proxy
which farms out requests to internal applications. This should allow us
to maintain a single namespace for all applications (<hostname>/appname
redirects to appname.local) and gives authenticated visibility of who's
accessing what at the front end proxy.
DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080] ---> TRUST: [Various
---> TRUST: [Various
Keycloak runs on its own server and is published via an NGINX proxy in
DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
and then after logging in, we get an "invalid Redirect URI" error from
Keycloak. We've found that for some reason, the redirect URL from
KeyCloak is appending the :8080 port value from the KeyCloak Security
proxy (verified as if we change this port number, the value changes in
the redirect URL). It's like KeyCloak is redirecting back to the
NGINX:8080 proxy direct rather than back to the KeyCloak security proxy,
which is what we were expecting. This is possibly by design, or
possibly a bug, or possibly a side effect of our configuration.
Has anyone tried using the KeyCloak security proxy in this manner? It's
clear that the intended use is as a single instance adapter for a single
local application, whereas our application happens to be an nginx proxy
redirecting to different applications using location directives.
keycloak-user mailing list