Dominic, Did you try to add your response uri, i.e: "https://myserver.com/auth/admin/master/console/*" to the "Valid Redirect URIs" in the security-admin-console client? Regards Tim -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of dominic.michel01(a)realdigital.de Sent: den 28 november 2018 12:02 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Access to security-admin-console via SSL is prohibited? Hi. I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL. Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?clien... But this request ends in status 400 with the response "Invalid parameter: redirect_uri" On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely. I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/) which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http --- Content Security Policy: The page's settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-stat... ("frame-src"). --- So it looks like i'm effectively locked out. Based on my current situation i have three questions. 1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed? 2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is? 3. Does anybody know what to change now (via admin cli i guess) to get access to the UI? Thanks for your help. Kind regards, Dominic real,- Digital Services GmbH, Sitz: Duesseldorf Amtsgericht Duesseldorf, HRB 75643 Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi. I found my mistake. The client is talking SSL with the reverse-proxy, but the reverse-proxy is only talking http with keycloak. So all i had to do is set proxy-address-forwarding="true" for the http-listener in order for keycloak to respect the X-Forwarded-Proto header and use https for redirects. Like described in this section of the documentation https://www.keycloak.org/docs/4.6/server_installation/index.html#identify... Thanks for your help Tim! ________________________________________ From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on behalf of dominic.michel01(a)realdigital.de [dominic.michel01(a)realdigital.de] Sent: Friday, November 30, 2018 8:27 AM To: tim.hedlund(a)outlook.com; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Access to security-admin-console via SSL is prohibited? Hi. Yes, i've added the https uri as well. Unfortunately, when accessing the login mask via https, the action of the login form is still using http. So i'm able to login but only see a blank page because the page content is blocked by the browser with this message: Mixed Content: The page at 'https://myserver.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://myserver.com/auth/realms/master/protocol/openid-connect/token'. This request has been blocked; the content must be served over HTTPS. According to https://www.keycloak.org/docs/4.6/server_admin/#_ssl_modes i figured it would be enough to configure SSL on the reverse proxy only, but now i wonder if it really is and how to convince keycloak to use https for all its form actions, XHRs etc. Kind regards, Dominic ________________________________________ From: Tim Hedlund [tim.hedlund(a)outlook.com] Sent: Thursday, November 29, 2018 4:02 PM To: Michel, Dominic; keycloak-user(a)lists.jboss.org Subject: RE: [keycloak-user] Access to security-admin-console via SSL is prohibited? Dominic, Did you try to add your response uri, i.e: "https://myserver.com/auth/admin/master/console/*" to the "Valid Redirect URIs" in the security-admin-console client? Regards Tim -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of dominic.michel01(a)realdigital.de Sent: den 28 november 2018 12:02 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Access to security-admin-console via SSL is prohibited? Hi. I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL. Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?clien... But this request ends in status 400 with the response "Invalid parameter: redirect_uri" On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely. I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/) which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http --- Content Security Policy: The page's settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-stat... ("frame-src"). --- So it looks like i'm effectively locked out. Based on my current situation i have three questions. 1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed? 2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is? 3. Does anybody know what to change now (via admin cli i guess) to get access to the UI? Thanks for your help. Kind regards, Dominic real,- Digital Services GmbH, Sitz: Duesseldorf Amtsgericht Duesseldorf, HRB 75643 Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user real,- Digital Services GmbH, Sitz: Duesseldorf Amtsgericht Duesseldorf, HRB 75643 Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user real,- Digital Services GmbH, Sitz: Duesseldorf Amtsgericht Duesseldorf, HRB 75643 Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.