unsubscribe
> On Oct 5, 2018, at 2:26 PM, keycloak-user-request(a)lists.jboss.org wrote:
>
> Send keycloak-user mailing list submissions to
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request(a)lists.jboss.org
<mailto:keycloak-user-request@lists.jboss.org>
>
> You can reach the person managing the list at
> keycloak-user-owner(a)lists.jboss.org
<mailto:keycloak-user-owner@lists.jboss.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Re: Keycloak invalid redirect_uri with port 0? (Sebastien Blanc)
> 2. Re: Too many redirects with remember me checked (Amritha Amarnath)
> 3. Custom password policy - i18n messages (Lukasz Lech)
> 4. Re: Keycloak invalid redirect_uri with port 0? (Dean Poulin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 5 Oct 2018 11:37:29 +0200
> From: Sebastien Blanc <sblanc(a)redhat.com <mailto:sblanc@redhat.com>>
> Subject: Re: [keycloak-user] Keycloak invalid redirect_uri with port
> 0?
> To: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
> Cc: keycloak userlist <keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
> Message-ID:
> <CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA(a)mail.gmail.com
<mailto:CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA@mail.gmail.com>>
> Content-Type: text/plain; charset="UTF-8"
>
> TBH No idea if it helps in your case but there is a config property called
> "redirect-rewrite-rules" that may help you :
>
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...
<
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...
>
>
> On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean(a)edgewoodsoftware.com
<mailto:dean@edgewoodsoftware.com>>
> wrote:
>
>> Hi,
>>
>> I?ve tried a couple things in that comment so far:
>>
>> 1) Verified I?m sending through the headers and the spring boot app is
>> receiving the headers:
>>
>> Oct 05 05:15:27
server01.edgewoodsoftware.com
<
http://server01.edgewoodsoftware.com/> java[25117]: 2018-10-05
>> 05:15:27.576 INFO 25117 --- [nio-8042-exec-2]
>> a.c.u.server.controller.IndexController :
host=www.example.com
<
http://www.example.com/>
>> Oct 05 05:15:27
server01.edgewoodsoftware.com
<
http://server01.edgewoodsoftware.com/> java[25117]:
>> x-real-ip=1.2.3.4
>> Oct 05 05:15:27
server01.edgewoodsoftware.com
<
http://server01.edgewoodsoftware.com/> java[25117]:
>> x-forwarded-for=1.2.3.4
>> Oct 05 05:15:27
server01.edgewoodsoftware.com
<
http://server01.edgewoodsoftware.com/> java[25117]:
>> x-forwarded-proto=https
>> Oct 05 05:15:27
server01.edgewoodsoftware.com
<
http://server01.edgewoodsoftware.com/> java[25117]:
>>
x-forwarded-host=www.example.com <
http://www.example.com/>
>> Oct 05 05:15:27
server01.edgewoodsoftware.com
<
http://server01.edgewoodsoftware.com/> java[25117]:
>> x-forwarded-port=443
>>
>> I tried setting the spring boot keycloak config setting:
>>
>> keycloak.ssl-required = none
>>
>> That did remove the port 0 in the redirect_uri being generated but it also
>> set the redirect uri to be http instead of https, which seems like it?d be
>> bad. I do have nginx set to redirect all http requests to https anyway.
>>
>> Is there something else I need to do to get the spring boot app to
>> generate the correct redirect_uri with https? There must be like some magic
>> config setting I?ve missed somewhere. I?ll keep digging and share what I
>> find.
>>
>> Thanks,
>>
>> Dean Poulin
>> Owner & Principal Software Engineer
>> edgewood software
>> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
>>
>>
>> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc(a)redhat.com
<mailto:sblanc@redhat.com>> wrote:
>>
>> Hi,
>>
>> We have a ticket concerning the 0 added as port :
>>
https://issues.jboss.org/browse/KEYCLOAK-7237
<
https://issues.jboss.org/browse/KEYCLOAK-7237> but we still need to plan
>> it to work on it. But look at the comments, looks like there are some
>> workarounds for now (the last comment).
>>
>> Sebi
>>
>>
>> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com
<mailto:dean@edgewoodsoftware.com>>
>> wrote:
>>
>>> Hi everyone,
>>>
>>> First email to the group here. I?ve been heavily underway implementing
>>> Keycloak for my app?s auth needs and very impressed with the product. I?ve
>>> delayed emailing the group until I?ve spent hours of time trying to figure
>>> out this weird issue I?m experiencing. This might not be the best place to
>>> post this, but figured I?d start here.
>>>
>>> For some reason, when I visit my spring boot webapp that?s protected by
>>> keycloak it?s redirecting to keycloak as expected but the redirect_uri is
>>> being set with a port of 0 which is causing me to get an error on the
>>> keycloak login page saying ?invalid redirect_uri.?
>>>
>>> I?ve googled this and I?ve found some people having similar issues, but
>>> couldn?t find solutions (e.g.
>>>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
>>> <
>>>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;,
>>>
>>>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
>>> <
>>>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
>>>> ).
>>>
>>> My prod/test environment uses an nginx reverse proxy in front of my apps.
>>>
>>> I followed these steps:
>>>
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
>>> <
>>>
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
>>>> .
>>>
>>> The url that was throwing that error looked like this (see the port of 0
>>> in the url):
>>>
>>>
>>>
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
>>> <
>>>
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
>>>>
%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid
>>>
>>> The keycloak logs contained this error for the above url:
>>>
>>> Oct 05 02:39:40
sso01.example.com <
http://sso01.example.com/>
<
http://sso01.example.com/ <
http://sso01.example.com/>>
>>> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default
>>> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null,
>>> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=
>>>
https://www.example.com <
https://www.example.com/>
<
https://www.example.com/ <
https://www.example.com/>>:0/sso/login
>>>
>>> As you can see for some reason the redirect_uri is being set with a port
>>> of 0.
>>>
>>> I put in the url with port 0 (
https://www.example.com:0/sso/login
<
https://www.example.com:0/sso/login> <
>>>
https://www.example.com:0/sso/login
<
https://www.example.com:0/sso/login>>) into the keycloak client config
>>> under Valid Redirect URIs and that removed the invalid redirect_url issue
>>> and the login page was now rendering without an error.
>>>
>>> However, when the redirect is performed after login, the browser gets
>>> screwed up with having port 0 in there? Google Chrome has this error:
>>>
>>> This site can?t be reached
>>> The webpage at
>>>
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
>>> <
>>>
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
>>> might be temporarily down or it may have moved permanently to a new web
>>> address.
>>> ERR_ADDRESS_INVALID
>>>
>>> Here?s my architecture:
>>>
>>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port
8042*
>>> ?> SPRING BOOT APP (v2.0.5.RELEASE)
>>>
>>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port
8080*
>>> ?> KEYCLOAK SERVER (v4.4.0.Final)
>>>
>>> Spring Boot App:
>>>
>>> <dependency>
>>> <groupId>org.keycloak.bom</groupId>
>>> <artifactId>keycloak-adapter-bom</artifactId>
>>> <version>4.4.0.Final</version>
>>> <type>pom</type>
>>> <scope>import</scope>
>>> </dependency>
>>>
>>> ...
>>>
>>> <dependency>
>>> <groupId>org.keycloak</groupId>
>>> <artifactId>keycloak-spring-boot-starter</artifactId>
>>> </dependency>
>>>
>>> Config yaml:
>>>
>>> keycloak:
>>> auth-server-url:
https://sso.example.com/auth
<
https://sso.example.com/auth> <
>>>
https://sso.example.com/auth <
https://sso.example.com/auth>>
>>> realm: my-app
>>> public-client: true
>>> resource: my-client
>>> ssl-required: external
>>>
>>>
>>>
>>> Nginx is configured as a reverse proxy with these settings for the spring
>>> boot app:
>>>
>>> upstream app {
>>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
>>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
>>> }
>>>
>>> server {
>>> listen 443;
>>> server_name
www.example.com <
http://www.example.com/>
<
http://www.example.com/ <
http://www.example.com/>>;
>>>
>>> ...
>>>
>>> location / {
>>> proxy_set_header Host $host;
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For
>>> $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> proxy_set_header X-Forwarded-Host $host;
>>> proxy_set_header X-Forwarded-Port 443;
>>>
>>> proxy_next_upstream error timeout invalid_header http_500;
>>> proxy_connect_timeout 2;
>>>
>>> proxy_pass
http://app <
http://app/> <
http://app/
<
http://app/>>;
>>> }
>>> }
>>>
>>> Nginx is configured as a reverse proxy with these settings for the
>>> keycloak server:
>>>
>>>
>>> upstream sso {
>>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
>>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
>>> }
>>>
>>> server {
>>> listen 443;
>>> server_name
sso.example.com <
http://sso.example.com/>
<
http://sso.example.com/ <
http://sso.example.com/>>;
>>>
>>> ...
>>>
>>> location / {
>>> proxy_set_header Host $host;
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For
>>> $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> proxy_set_header X-Forwarded-Host $host;
>>> proxy_set_header X-Forwarded-Port 443;
>>> proxy_next_upstream error timeout invalid_header http_500;
>>> proxy_connect_timeout 2;
>>>
>>> proxy_pass
http://sso <
http://sso/> <
http://sso/
<
http://sso/>>;
>>> }
>>> }
>>>
>>> My keycloak configuration for standalone.xml has these settings:
>>>
>>> Undertow config:
>>>
>>> <server name="default-server">
>>> <http-listener name="default"
socket-binding="http"
>>> redirect-socket="proxy-https" enable-http2="true"
>>> proxy-address-forwarding="true"/>
>>> <https-listener name="https"
socket-binding="https"
>>> security-realm="ApplicationRealm"
enable-http2="true"/>
>>> <host name="default-host" alias="localhost">
>>> <http-invoker security-realm="ApplicationRealm"/>
>>> </host>
>>> </server>
>>>
>>> ?
>>>
>>> Socket Bindings:
>>>
>>> <socket-binding-group name="standard-sockets"
default-interface="public"
>>> port-offset="${jboss.socket.binding.port-offset:0}">
>>> <socket-binding name="management-http"
interface="management"
>>> port="${jboss.management.http.port:9990}"/>
>>> <socket-binding name="management-https"
interface="management"
>>> port="${jboss.management.https.port:9993}"/>
>>> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
>>> <socket-binding name="http"
port="${jboss.http.port:8080}"/>
>>> <socket-binding name="proxy-https" port="443"/>
>>> <socket-binding name="https"
port="${jboss.https.port:8443}"/>
>>> <socket-binding name="txn-recovery-environment"
port="4712"/>
>>> <socket-binding name="txn-status-manager"
port="4713"/>
>>> <outbound-socket-binding name="mail-smtp">
>>> <remote-destination host="localhost"
port="25"/>
>>> </outbound-socket-binding>
>>> </socket-binding-group>
>>>
>>>
>>>
>>>
>>>
>>> Thanks for your help, I must have missed something somewhere. I just
>>> can?t for the life of me find out where that port 0 is coming from.
>>>
>>>
>>> Dean Poulin
>>> Owner & Principal Software Engineer
>>> edgewood software
>>> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
<mailto:dean@edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 5 Oct 2018 15:45:30 +0530 (GMT+05:30)
> From: Amritha Amarnath <amritha_amarnath(a)amritatech.com
<mailto:amritha_amarnath@amritatech.com>>
> Subject: Re: [keycloak-user] Too many redirects with remember me
> checked
> To: Martin Kanis <mkanis(a)redhat.com <mailto:mkanis@redhat.com>>
> Cc: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> Message-ID:
> <3312779.577271538734530914.JavaMail.root(a)atmail.amritatech.com
<mailto:3312779.577271538734530914.JavaMail.root@atmail.amritatech.com>>
> Content-Type: text/plain; charset="utf-8"
>
>
> Hello ,
>
>
>
> Application is using keycloak-4.1.0.Final . For keycloak log please find attachment
>
>
>
> --
> With Regards,
> Amms
>
>
>
> ----- Original Message -----
> From: "Martin Kanis" <mkanis(a)redhat.com
<mailto:mkanis@redhat.com>>
> To: "amritha amarnath" <amritha_amarnath(a)amritatech.com
<mailto:amritha_amarnath@amritatech.com>>
> Cc: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, Mumbai, New
Delhi
> Subject: Re: [keycloak-user] Too many redirects with remember me checked
>
>
> Hello,
>
>
> what version of Keycloak do you have? Can you provide a Keycloak log?
>
>
> Regards,
> Martin
>
>
> On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath(a)amritatech.com
<mailto:amritha_amarnath@amritatech.com> > wrote:
>
>
>
>
>
> Hello,
>
>
> My application have been deployed in Wildfly 11 and is integrated with standalone
Keycloak and works fine. But the issue is, when the application is logged in with
Remember-me checkbox checked, its showing too many redirects when restart the browser ,
even though the user session is valid. It leads to logout my application session manually
from keycloak admin console.
>
> Wildfly log says: Account was not in session, returning null , there was no code
>
>
> Once the user session also get expired its showing the login page with pre-filled
username and remember-me checked as expected.
>
>
> I am new to keycloak. So any idea regarding too many redirects with remember-me
checked ?
>
> --
> With Regards,
> Amms
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>