Hi.
I found my mistake. The client is talking SSL with the reverse-proxy, but the
reverse-proxy is only talking http with keycloak. So all i had to do is set
proxy-address-forwarding="true" for the http-listener in order for keycloak to
respect the X-Forwarded-Proto header and use https for redirects. Like described in this
section of the documentation
https://www.keycloak.org/docs/4.6/server_installation/index.html#identify...
Thanks for your help Tim!
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of dominic.michel01(a)realdigital.de [dominic.michel01(a)realdigital.de]
Sent: Friday, November 30, 2018 8:27 AM
To: tim.hedlund(a)outlook.com; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Access to security-admin-console via SSL is
prohibited?
Hi.
Yes, i've added the https uri as well. Unfortunately, when accessing the login mask
via https, the action of the login form is still using http. So i'm able to login but
only see a blank page because the page content is blocked by the browser with this
message:
Mixed Content: The page at 'https://myserver.com/auth/admin/master/console/' was
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://myserver.com/auth/realms/master/protocol/openid-connect/token'. This
request has been blocked; the content must be served over HTTPS.
According to
https://www.keycloak.org/docs/4.6/server_admin/#_ssl_modes i figured it would
be enough to configure SSL on the reverse proxy only, but now i wonder if it really is and
how to convince keycloak to use https for all its form actions, XHRs etc.
Kind regards,
Dominic
________________________________________
From: Tim Hedlund [tim.hedlund(a)outlook.com]
Sent: Thursday, November 29, 2018 4:02 PM
To: Michel, Dominic; keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Access to security-admin-console via SSL is
prohibited?
Dominic,
Did you try to add your response uri, i.e:
"https://myserver.com/auth/admin/master/console/*" to the "Valid Redirect
URIs" in the security-admin-console client?
Regards
Tim
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of dominic.michel01(a)realdigital.de
Sent: den 28 november 2018 12:02
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Access to security-admin-console via SSL is prohibited?
Hi.
I've just deployed a keycloak which is only reachable via a haproxy that enforces
SSL.
Now i'm trying to log into the security-admin-console via
https://myserver.com/auth/admin/ which is redirecting me to
https://mysever.com/auth/realms/master/protocol/openid-connect/auth?clien...
But this request ends in status 400 with the response "Invalid parameter:
redirect_uri"
On a test environment without SSL it's actually working fine with an absolute uri
using http. But here i cannot use http. The haproxy prevents it completely.
I tried changing the redirect_uri param to a relative one
(redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a
non-SSL redirect to the base URL (
http://myserver.com/auth/admin/master/console/)
which leaves my with an error in the browser because haproxy changes the call to https,
but some content seems to be still embeded using http
---
Content Security Policy: The page's settings blocked the loading of a resource at
http://myserver.com/auth/realms/master/protocol/openid-connect/login-stat...
("frame-src").
---
So it looks like i'm effectively locked out.
Based on my current situation i have three questions.
1. Why does keycloak respond with http redirects even though the issuing call
(
https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https
and how can this be changed?
2. Given that the default redirect uri pattern for the security-admin-console is
"/auth/admin/master/console/*", why is
https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but
http://myserver.com/auth/admin/master/console is?
3. Does anybody know what to change now (via admin cli i guess) to get access to the UI?
Thanks for your help.
Kind regards,
Dominic
real,- Digital Services GmbH, Sitz: Duesseldorf
Amtsgericht Duesseldorf, HRB 75643
Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge
Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den
bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche
Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang
dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe
der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben,
informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
real,- Digital Services GmbH, Sitz: Duesseldorf
Amtsgericht Duesseldorf, HRB 75643
Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge
Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den
bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche
Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang
dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe
der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben,
informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
real,- Digital Services GmbH, Sitz: Duesseldorf
Amtsgericht Duesseldorf, HRB 75643
Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge
Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den
bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche
Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang
dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe
der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben,
informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.