[keycloak-user] Problems with Redirect URI

Stian Thorgersen stian at redhat.com
Thu Oct 2 02:42:45 EDT 2014


As it redirected from http to https did you edit web.xml and enable the confidential transport-guarantee?

In production you should always use ssl for all traffic, and also make sure you have a proper certificate so apps and browsers can guarantee they are indeed talking to your auth server and not some intermediary. 

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 2 October, 2014 7:30:15 AM
> Subject: Re: [keycloak-user] Problems with Redirect URI
> 
> Yes, but should I have to register that URI?
> 
> I thought that the ssl-required option was only valid for communications with
> the keycloak server, not on how the keycloak server would respond to the
> application.
> The solution would be to register this https uri as a redirect_uri on my
> keycloak application?
> 
> While we're on this topic I do have another question, that my superiors
> instructed me to ask:
> 
> Is it unsafe to change my keycloak.json setting ssl-required to none?
> The problem I see is someone intercepting the access code returned by the
> server, is it possible for 2 requests with the same access code be processed
> returning a valid access token for both? Or is this code discarded somehow?
> 
> Thank you again for all your help
> 
> On Wed, Oct 1, 2014 at 4:57 PM, Bill Burke < bburke at redhat.com > wrote:
> 
> 
> https://www.domain.com:8443 is a different uri than
> http://www.domain.com . If you don't change the redirect uri pattern in
> the admin console for the app, then the server will not recognize the
> https uri as valid.
> 
> On 10/1/2014 3:10 PM, Rodrigo Sasaki wrote:
> > Hello,
> > 
> > We tried to deploy our server in production today, protected with
> > Keycloak but we had some issues.
> > 
> > When we tried to access one of our resources, the redirect_uri was
> > altered to one we didn't have registered.
> > 
> > Our original uri was something like this: * http://www.domain.com/resource*
> > 
> > and it got changed to: * https://www.domain.com:8443/resource*
> > 
> > changing the protocol to https and adding the 8443 port, and that
> > specific uri isn't registered for us, so the server returned saying it
> > was an invalid redirect_uri
> > 
> > Is this a normal behavior? Should we have configured something else?
> > 
> > Thanks!
> > 
> > --
> > Rodrigo Sasaki
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list