1:28 a.m.
Loving Keycloak (amazing work) and hoping I'm just missing something obvious. I've
got a GitHub identity provider and all is working well except for one thing. My Keycloak
server is on HTTP, sitting behind a reverse proxy handling all of the TLS goodness. When I
look at the GitHub Identity Provider, it shows
http://keycloak/auth/realms/myrealm/broker/github/endpoint. My app server is available at
https://example.com, even though it, too, is actually only running HTTP and the rev proxy
is doing the TLS. For the most part, everything works as expected. (FYI, the reverse proxy
forwards all traffic to https://example.com/auth to http://keycloak/auth.)
The one thing not working 100% properly is the redirect uri sent to GitHub. It's HTTP,
not HTTPS.
It is correctly getting the new host name (e.g. it becomes
http://example.com/auth/realms/myrealm/broker/github/endpoint), but even though my browser
is hitting https://example.com, the redirect uri sent to GitHub is HTTP. GitHub complains
that it's not the right redirect url, because on GitHub I've set it to
https://example.com/auth/realms/myrealm/broker/github/endpoint. If I change the OAuth
redirect URL on GitHub to expect HTTP instead of HTTPS, everything works...except that
I'm now doing the final handshake over HTTP. (The rev proxy actually forces a redirect
to HTTPS, but, by that point, the damage has been done.)
So my question is, how can I get Keycloak to send an HTTPS Redirect URI to GitHub rather
than HTTP? How is KC even deciding to use HTTP v HTTPS? I've tried requiring SSL on
the Realm login settings, but that did not seem to impact the generation of the Redirect
URI.
Many thanks!
-Todd
12:18 p.m.
Figured it out -- needed to set PROXY_ADDRESS_FORWARDING to true on my Keycloak
container.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Todd A. Mancini
Sent: Sunday, March 17, 2019 8:28 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] How can I get Keycloak to send an HTTPS Redirect URI to GitHub
rather than HTTP?
Loving Keycloak (amazing work) and hoping I'm just missing something obvious. I've
got a GitHub identity provider and all is working well except for one thing. My Keycloak
server is on HTTP, sitting behind a reverse proxy handling all of the TLS goodness. When I
look at the GitHub Identity Provider, it shows
http://keycloak/auth/realms/myrealm/broker/github/endpoint. My app server is available at
https://example.com, even though it, too, is actually only running HTTP and the rev proxy
is doing the TLS. For the most part, everything works as expected. (FYI, the reverse proxy
forwards all traffic to https://example.com/auth to http://keycloak/auth.)
The one thing not working 100% properly is the redirect uri sent to GitHub. It's HTTP,
not HTTPS.
It is correctly getting the new host name (e.g. it becomes
http://example.com/auth/realms/myrealm/broker/github/endpoint), but even though my browser
is hitting https://example.com, the redirect uri sent to GitHub is HTTP. GitHub complains
that it's not the right redirect url, because on GitHub I've set it to
https://example.com/auth/realms/myrealm/broker/github/endpoint. If I change the OAuth
redirect URL on GitHub to expect HTTP instead of HTTPS, everything works...except that
I'm now doing the final handshake over HTTP. (The rev proxy actually forces a redirect
to HTTPS, but, by that point, the damage has been done.)
So my question is, how can I get Keycloak to send an HTTPS Redirect URI to GitHub rather
than HTTP? How is KC even deciding to use HTTP v HTTPS? I've tried requiring SSL on
the Realm login settings, but that did not seem to impact the generation of the Redirect
URI.
Many thanks!
-Todd
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2139
days inactive
2139
days old
1 comments
1 participants
participants (1)
-
Todd A. Mancini