[keycloak-user] Are relative redirect URIs supported?

Håvard Wigtil haavard.wigtil at kantega.no
Mon Nov 23 15:26:52 EST 2015 

I'm not sure that I'm asking the right question yet, so I'll try again.

We have Keycloak installed on keycloak.my.lan. We're running development 
on several developer PCs, which we access by their public IP because we 
test on several devices against our local development environment. So my 
application is hosted on 192.168.1.2 at the moment, my colleague is 
running her version of the same application at 192.168.1.4, and our IPs 
may change the next day.

If I configure the client "myclient" in the "Clients" section in 
Keycloak admin console with a "Valid redirect URI" of 
"http://192.168.1.2:3000/app/login" then login works. If I change this 
to only "/app/login" then I am presented with the error "We're sorry... 
Invalid parameter: redirect_uri" from Keycloak before I get a chance to 
enter my credentials.

The URL from my application in both cases is the URL below, so the 
redirect URI as sent from the application is always absolute:
https://keycloak.my.lan/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2F192.168.1.2:3000%2Fapp%2Flogin&state=3525097d-e0f8-4013-890f-08fba8439412&response_type=code

I left out the last relevant part of the help message (for brevity) in 
my first mail. In addition to "Relative path can be specified too, i.e. 
/my/relative/path/*" it also says "Relative paths will generate a 
redirect URI using the request's host and port". My reading of those two 
sentences together lead me to believe that I could leave out the

So my real question is: Is it possible to set a single "Valid redirect 
URI" in Keycloak console for my app that will work when the app is 
served from either http://192.168.1.2/app or http://192.168.1.4/app and 
possibly many similar URIs? Or do I have to specify every possible URI 
that my app could be served from under "Valid redirect URIs"?

   Håvard

Den 23. nov. 2015 20:19, skrev Bill Burke:
> A relative URI *will not* be accepted if it is passed as a query
> parameter when a client is requesting a code.  An absolute URI *MUST BE*
> sent via the redirect_uri query parameter.  For admin console config, if
> you put in relative path in your valid redirect URIs, it uses the
> host/port of the auth server.  A bunch of the demos work that way.  So,
> if you host the auth server on mydomain.com,
> https://localhost/my/relative/path will match and
> https://mydomain.com/my/relative/path will work too.  Make sense?
>
>
>
> On 11/23/2015 2:00 PM, Håvard Wigtil wrote:
>> I'm trying to get a relative (i.e. path only with no host) redirect URI
>> for a Keycloak client to work. My client works with full host and path,
>> but if I remove the host part I get an illegal parameter error.
>>
>> The inline help bubble has the following sentence: "Relative path can be
>> specified too, i.e. /my/relative/path/*."
>> So as far as I can tell, it should work according to the help message.
>> As I was trying to find out more about this I came across Jira issue
>> KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth
>> 2.0 spec. If I'm reading the spec correctly the redirect *must* be
>> absolute to be conformant with the spec.
>>
>> Is the inline help wrong, or is it something here that I don't get?
>>
>>      Håvard
>>
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-8
>> [2] https://tools.ietf.org/html/rfc6749#section-3.1.2
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-- 
Håvard Wigtil
arkitekt og utvikler, Kantega AS
tlf. +47 9384 6468

More information about the keycloak-user mailing list