unsubscribe > On Oct 5, 2018, at 2:26 PM, keycloak-user-request(a)lists.jboss.org wrote: > > Send keycloak-user mailing list submissions to > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> > or, via email, send a message with subject or body 'help' to > keycloak-user-request(a)lists.jboss.org <mailto:keycloak-user-request@lists.jboss.org> > > You can reach the person managing the list at > keycloak-user-owner(a)lists.jboss.org <mailto:keycloak-user-owner@lists.jboss.org> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Keycloak invalid redirect_uri with port 0? (Sebastien Blanc) > 2. Re: Too many redirects with remember me checked (Amritha Amarnath) > 3. Custom password policy - i18n messages (Lukasz Lech) > 4. Re: Keycloak invalid redirect_uri with port 0? (Dean Poulin) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 5 Oct 2018 11:37:29 +0200 > From: Sebastien Blanc <sblanc(a)redhat.com <mailto:sblanc@redhat.com>> > Subject: Re: [keycloak-user] Keycloak invalid redirect_uri with port > 0? > To: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com> > Cc: keycloak userlist <keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>> > Message-ID: > <CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA(a)mail.gmail.com <mailto:CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA@mail.gmail.com>> > Content-Type: text/plain; charset="UTF-8" > > TBH No idea if it helps in your case but there is a config property called > "redirect-rewrite-rules" that may help you : > https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt... <https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt... > > > On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>> > wrote: > >> Hi, >> >> I?ve tried a couple things in that comment so far: >> >> 1) Verified I?m sending through the headers and the spring boot app is >> receiving the headers: >> >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: 2018-10-05 >> 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] >> a.c.u.server.controller.IndexController : host=www.example.com <http://www.example.com/> >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-real-ip=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-for=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-proto=https >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-host=www.example.com <http://www.example.com/> >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-port=443 >> >> I tried setting the spring boot keycloak config setting: >> >> keycloak.ssl-required = none >> >> That did remove the port 0 in the redirect_uri being generated but it also >> set the redirect uri to be http instead of https, which seems like it?d be >> bad. I do have nginx set to redirect all http requests to https anyway. >> >> Is there something else I need to do to get the spring boot app to >> generate the correct redirect_uri with https? There must be like some magic >> config setting I?ve missed somewhere. I?ll keep digging and share what I >> find. >> >> Thanks, >> >> Dean Poulin >> Owner & Principal Software Engineer >> edgewood software >> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com> >> >> >> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc(a)redhat.com <mailto:sblanc@redhat.com>> wrote: >> >> Hi, >> >> We have a ticket concerning the 0 added as port : >> https://issues.jboss.org/browse/KEYCLOAK-7237 <https://issues.jboss.org/browse/KEYCLOAK-7237> but we still need to plan >> it to work on it. But look at the comments, looks like there are some >> workarounds for now (the last comment). >> >> Sebi >> >> >> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>> >> wrote: >> >>> Hi everyone, >>> >>> First email to the group here. I?ve been heavily underway implementing >>> Keycloak for my app?s auth needs and very impressed with the product. I?ve >>> delayed emailing the group until I?ve spent hours of time trying to figure >>> out this weird issue I?m experiencing. This might not be the best place to >>> post this, but figured I?d start here. >>> >>> For some reason, when I visit my spring boot webapp that?s protected by >>> keycloak it?s redirecting to keycloak as expected but the redirect_uri is >>> being set with a port of 0 which is causing me to get an error on the >>> keycloak login page saying ?invalid redirect_uri.? >>> >>> I?ve googled this and I?ve found some people having similar issues, but >>> couldn?t find solutions (e.g. >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... >>> < >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;, >>> >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... >>> < >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... >>>> ). >>> >>> My prod/test environment uses an nginx reverse proxy in front of my apps. >>> >>> I followed these steps: >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_sett... <https://www.keycloak.org/docs/latest/server_installation/index.html#_sett... >>> < >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_sett... <https://www.keycloak.org/docs/latest/server_installation/index.html#_sett... >>>> . >>> >>> The url that was throwing that error looked like this (see the port of 0 >>> in the url): >>> >>> >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r... <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r... >>> < >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r... <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r... >>>> %3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid >>> >>> The keycloak logs contained this error for the above url: >>> >>> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/> <http://sso01.example.com/ <http://sso01.example.com/>> >>> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default >>> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, >>> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri= >>> https://www.example.com <https://www.example.com/> <https://www.example.com/ <https://www.example.com/>>:0/sso/login >>> >>> As you can see for some reason the redirect_uri is being set with a port >>> of 0. >>> >>> I put in the url with port 0 (https://www.example.com:0/sso/login <https://www.example.com:0/sso/login> < >>> https://www.example.com:0/sso/login <https://www.example.com:0/sso/login>>) into the keycloak client config >>> under Valid Redirect URIs and that removed the invalid redirect_url issue >>> and the login page was now rendering without an error. >>> >>> However, when the redirect is performed after login, the browser gets >>> screwed up with having port 0 in there? Google Chrome has this error: >>> >>> This site can?t be reached >>> The webpage at >>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71... <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71... >>> < >>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71... <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71... >>> might be temporarily down or it may have moved permanently to a new web >>> address. >>> ERR_ADDRESS_INVALID >>> >>> Here?s my architecture: >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* >>> ?> SPRING BOOT APP (v2.0.5.RELEASE) >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* >>> ?> KEYCLOAK SERVER (v4.4.0.Final) >>> >>> Spring Boot App: >>> >>> <dependency> >>> <groupId>org.keycloak.bom</groupId> >>> <artifactId>keycloak-adapter-bom</artifactId> >>> <version>4.4.0.Final</version> >>> <type>pom</type> >>> <scope>import</scope> >>> </dependency> >>> >>> ... >>> >>> <dependency> >>> <groupId>org.keycloak</groupId> >>> <artifactId>keycloak-spring-boot-starter</artifactId> >>> </dependency> >>> >>> Config yaml: >>> >>> keycloak: >>> auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth> < >>> https://sso.example.com/auth <https://sso.example.com/auth>> >>> realm: my-app >>> public-client: true >>> resource: my-client >>> ssl-required: external >>> >>> >>> >>> Nginx is configured as a reverse proxy with these settings for the spring >>> boot app: >>> >>> upstream app { >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name www.example.com <http://www.example.com/> <http://www.example.com/ <http://www.example.com/>>; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://app <http://app/> <http://app/ <http://app/>>; >>> } >>> } >>> >>> Nginx is configured as a reverse proxy with these settings for the >>> keycloak server: >>> >>> >>> upstream sso { >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name sso.example.com <http://sso.example.com/> <http://sso.example.com/ <http://sso.example.com/>>; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://sso <http://sso/> <http://sso/ <http://sso/>>; >>> } >>> } >>> >>> My keycloak configuration for standalone.xml has these settings: >>> >>> Undertow config: >>> >>> <server name="default-server"> >>> <http-listener name="default" socket-binding="http" >>> redirect-socket="proxy-https" enable-http2="true" >>> proxy-address-forwarding="true"/> >>> <https-listener name="https" socket-binding="https" >>> security-realm="ApplicationRealm" enable-http2="true"/> >>> <host name="default-host" alias="localhost"> >>> <http-invoker security-realm="ApplicationRealm"/> >>> </host> >>> </server> >>> >>> ? >>> >>> Socket Bindings: >>> >>> <socket-binding-group name="standard-sockets" default-interface="public" >>> port-offset="${jboss.socket.binding.port-offset:0}"> >>> <socket-binding name="management-http" interface="management" >>> port="${jboss.management.http.port:9990}"/> >>> <socket-binding name="management-https" interface="management" >>> port="${jboss.management.https.port:9993}"/> >>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> >>> <socket-binding name="http" port="${jboss.http.port:8080}"/> >>> <socket-binding name="proxy-https" port="443"/> >>> <socket-binding name="https" port="${jboss.https.port:8443}"/> >>> <socket-binding name="txn-recovery-environment" port="4712"/> >>> <socket-binding name="txn-status-manager" port="4713"/> >>> <outbound-socket-binding name="mail-smtp"> >>> <remote-destination host="localhost" port="25"/> >>> </outbound-socket-binding> >>> </socket-binding-group> >>> >>> >>> >>> >>> >>> Thanks for your help, I must have missed something somewhere. I just >>> can?t for the life of me find out where that port 0 is coming from. >>> >>> >>> Dean Poulin >>> Owner & Principal Software Engineer >>> edgewood software >>> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com> <mailto:dean@edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> >> >> >> > > > ------------------------------ > > Message: 2 > Date: Fri, 5 Oct 2018 15:45:30 +0530 (GMT+05:30) > From: Amritha Amarnath <amritha_amarnath(a)amritatech.com <mailto:amritha_amarnath@amritatech.com>> > Subject: Re: [keycloak-user] Too many redirects with remember me > checked > To: Martin Kanis <mkanis(a)redhat.com <mailto:mkanis@redhat.com>> > Cc: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > Message-ID: > <3312779.577271538734530914.JavaMail.root(a)atmail.amritatech.com <mailto:3312779.577271538734530914.JavaMail.root@atmail.amritatech.com>> > Content-Type: text/plain; charset="utf-8" > > > Hello , > > > > Application is using keycloak-4.1.0.Final . For keycloak log please find attachment > > > > -- > With Regards, > Amms > > > > ----- Original Message ----- > From: "Martin Kanis" <mkanis(a)redhat.com <mailto:mkanis@redhat.com>> > To: "amritha amarnath" <amritha_amarnath(a)amritatech.com <mailto:amritha_amarnath@amritatech.com>> > Cc: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi > Subject: Re: [keycloak-user] Too many redirects with remember me checked > > > Hello, > > > what version of Keycloak do you have? Can you provide a Keycloak log? > > > Regards, > Martin > > > On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath(a)amritatech.com <mailto:amritha_amarnath@amritatech.com> > wrote: > > > > > > Hello, > > > My application have been deployed in Wildfly 11 and is integrated with standalone Keycloak and works fine. But the issue is, when the application is logged in with Remember-me checkbox checked, its showing too many redirects when restart the browser , even though the user session is valid. It leads to logout my application session manually from keycloak admin console. > > Wildfly log says: Account was not in session, returning null , there was no code > > > Once the user session also get expired its showing the login page with pre-filled username and remember-me checked as expected. > > > I am new to keycloak. So any idea regarding too many redirects with remember-me checked ? > > -- > With Regards, > Amms > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> > > > > >