oh I see. I was copying the style of config from the developer who set up the test Keycloak (assuming wrongly that he knew what he was doing). Setting it to the actual site worked........ but now I have another problem :-( *Kevin Thorpe* CTO <https://www.p-i.net/> <https://twitter.com/@PI_150> www.p-i.net | @PI_150 <https://twitter.com/@PI_150> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. *"SAVE PAPER - THINK BEFORE YOU PRINT!" * On 18 September 2015 at 11:59, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote:

I got it working but as you've seen only if everyone contacts the Nginx IP. If the back end servers contact Keycloak directly then the validation fails because the token was issued by 'a different server'. I want to do the same thing as well. I want the front-end of our application to authenticate against the public address then all the back end servers running in Docker contact the Keycloak docker container directly. The way I have it now I'm generating a lot of traffic between the Docker (actually Rancher) LAN and the external LAN. I think we need a concept of service aliases so that a token issued by https:my-public-name:443 would still be accepted by http://keycloak:8080 (as long as it was indeed issued by that server under a different alias) *Kevin Thorpe* CTO <https://www.p-i.net/> <https://twitter.com/@PI_150> www.p-i.net | @PI_150 <https://twitter.com/@PI_150> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. *"SAVE PAPER - THINK BEFORE YOU PRINT!" * On 24 September 2015 at 02:38, Doug Szeto <DSzeto(a)investlab.com&gt; wrote:

Thanks for the config but had to make a few more changes for my setup. First problem was that the if there is a url instead of an IP as the keycloak server, it seemed to cause problems. Solution: Had to replace the nginx config setting: proxy_set_header Host $host; With proxy_set_header Host [auth-server-url in the keycloak.json file]; Second problem is that the keycloak/wildfly server kept using the nginx proxy’s IP in the session management. Solution: Need a combination of nginx settings and wildfly settings. Nginx needs to insert the forwarded for headers proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Wildfly’s standalone/configuration/standalone.xml needs to read the forwarded for header with proxy-address-forwarding=“true" … <subsystem xmlns="urn:jboss:domain:undertow:2.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" /> … The second solution is sort of mentioned in the docs, but applicable to both http and https and the xml seems out of date. —Doug From: Scott Rossillo <srossillo@smartling.com<mailto:srossillo@smartling.com>> Date: Thu, 24 Sep 2015 12:25:06 -0400 To: Kevin Thorpe <kevin.thorpe@p-i.net<mailto:kevin.thorpe@p-i.net>> Cc: doug <dszeto@investlab.com<mailto:dszeto@investlab.com>>, keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems Here’s a working configuration with NGINX listening on 443 (https) and Keycloak / Wildfly on 8080 (http). Note the proxy_set_header calls. The rest of the config is just for completeness: upstream keycloak { server localhost:8080; } server { listen 443; server_name localhost; ssl on; ssl_certificate /etc/pki/tls/certs/server.crt; ssl_certificate_key /etc/pki/tls/certs/server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { proxy_pass http://keycloak; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; } } Scott Rossillo Smartling | Senior Software Engineer srossillo@smartling.com<mailto:srossillo@smartling.com> [Powered by Sigstr]<http://www.sigstr.com/> On Sep 24, 2015, at 5:13 AM, Kevin Thorpe <kevin.thorpe@p-i.net<mailto:kevin.thorpe@p-i.net>> wrote: I got it working but as you've seen only if everyone contacts the Nginx IP. If the back end servers contact Keycloak directly then the validation fails because the token was issued by 'a different server'. I want to do the same thing as well. I want the front-end of our application to authenticate against the public address then all the back end servers running in Docker contact the Keycloak docker container directly. The way I have it now I'm generating a lot of traffic between the Docker (actually Rancher) LAN and the external LAN. I think we need a concept of service aliases so that a token issued by https:my-public-name:443 would still be accepted by http://keycloak:8080<http://keycloak:8080/> (as long as it was indeed issued by that server under a different alias) Kevin Thorpe CTO <pi_icon.jpg><https://www.p-i.net/> <twitter.jpg><https://twitter.com/@PI_150> www.p-i.net<http://www.p-i.net/> | @PI_150<https://twitter.com/@PI_150> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/8102853...] [https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/1...] [https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bd...] [https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7...] _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. "SAVE PAPER - THINK BEFORE YOU PRINT!" On 24 September 2015 at 02:38, Doug Szeto <DSzeto@investlab.com<mailto:DSzeto@investlab.com>> wrote: Did you ever get the correct settings? When I put nginx in front of keycloak, it generates access tokens tied to the nginx server's IP instead of the browser's IP. This is apparent in the admin management pages when you look up the active sessions. The problem I'm having is there is a resource server that accepts bearer only tokens. It uses a different server, and now fails the token validation check. Remove the nginx servers and things work fine. Any suggestions? --Doug ________________________________ From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Kevin Thorpe <kevin.thorpe@p-i.net<mailto:kevin.thorpe@p-i.net>> Sent: Friday, September 18, 2015 19:21 To: stian@redhat.com<mailto:stian@redhat.com> Cc: keycloak-user Subject: Re: [keycloak-user] Wrapping Keycloak under Nginx - redirect_uri problems oh I see. I was copying the style of config from the developer who set up the test Keycloak (assuming wrongly that he knew what he was doing). Setting it to the actual site worked........ but now I have another problem :-( Kevin Thorpe CTO [http://service.svc/s/GetFileAttachment?id=AAMkAGIxOTBjNDM0LTgxNDQtNDYxYi1... [http://service.svc/s/GetFileAttachment?id=AAMkAGIxOTBjNDM0LTgxNDQtNDYxYi1...] <https://twitter.com/@PI_150> www.p-i.net<http://www.p-i.net/> | @PI_150<https://twitter.com/@PI_150> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo.jpg/8102853...] [https://clients.p-i.net/documents/11003/1116416/ISO27001-2013.logo.jpeg/1...] [https://clients.p-i.net/documents/11003/1116416/QMS.logo.jpeg/3925220d-bd...] [https://clients.p-i.net/documents/11003/1116416/pci.png/773a04d4-f6ce-4b7...] _____________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. "SAVE PAPER - THINK BEFORE YOU PRINT!" On 18 September 2015 at 11:59, Stian Thorgersen <sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote: The * can only be on the end of the valid redirect uri. So you need to specify 'https://my-client.pibenchmark.com/*' or simply '*'. The latter not being a good idea obviously. On 18 September 2015 at 12:42, Kevin Thorpe <kevin.thorpe@p-i.net<mailto:kevin.thorpe@p-i.net>> wrote: Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how to avoid the invalid parameter: redirect_uri problem. Website is https://my-client.pibenchmark.com<https://my-client.pibenchmark.com/> In nginx: location /auth { proxy_pass https://auth-service<https://auth-service/>; } upstream auth-service { server my-keycloak:8443; } Then in Keycloak I have valid redirect URIs set to https://*.pibenchmark.com/*<http://pibenchmark.com/*> ie my whole domain. Still getting invalid parameter: redirect_uri though. What am I doing wrong? Can I do this this way? I like to have one point of contact with the internet for security reasons. Kevin Thorpe CTO, PI Limited _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Solved by making a second call to: PUT /auth/admin/realms/{realm}/users/{userId}/reset-password Should make a note in the release notes for 1.5.0. -Doug From: doug <dszeto@investlab.com<mailto:dszeto@investlab.com>> Date: Fri, 18 Sep 2015 11:00:08 +0000 To: "keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: [keycloak-user] Creating Users from admin url and user passwords Hi, I've update from version 1.4.0.Final to 1.5.0.Final. Was able to use to create users with a script from the admin url api in 1.4.0. But after the update to 1.5.0.Final, it doesn't seem to accept the credentials anymore. Here is my request that used to work: POST /auth/admin/realms/{realm}/users body={"username":"burke","enabled":true,"credentials":[{"type":"password","value":"password"]} I'm dumping the realm information and the user is created, but the credentials field is a blank json array. Uploading a realm with one of the test configs, it seems like it automatically changes the password value to some hashed value. What actually changed in 1.5.0 with creating users using the admin api with a temporary password so that it can be scripted again? -Doug _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user