[keycloak-user] Spring Security - URL schema in "redirect_uri" generation

[Scott Rossillo]

It seems Wildfly isn’t aware of the fact that Nginx is handling secure connections.

Take a look at these posts:

http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html <http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html>
http://lists.jboss.org/pipermail/keycloak-user/2015-September/003104.html <http://lists.jboss.org/pipermail/keycloak-user/2015-September/003104.html>


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

> On Feb 19, 2016, at 10:56 AM, Andy Yar <andyyar66 at gmail.com> wrote:
> 
> Howdy,
> I use 1.8.0-Final integrated with Spring Security (which itself is integrated into Grails) using OpenID Connect method. The Keycloak and all integrated apps run behind a nginx SSL reverse proxy. Realm's SSL is set to: "ssl-required": "external".
> 
> My issue is related to initial "redirect_uri" generation. 
> 
> When I'm logged out and try to access a protected resource via a HTTPS request, I receive 302 response with Location URL starting with plain HTTP scheme. Apparently the Location goes to the "redirect_uri" attribute and therefore it tries to redirect me back here after a successful login.
> 
> Of course, it is possible to add both HTTP and HTTPS schemas as allowed redirect URI patterns. However, application's security gets lowered by that plain HTTP redirect...
> 
> Is there any easy solution for non-SSL Keycloak/apps running behind SSL reverse proxy? I haven't looked into the source code but it seems as a plain redirect which wouldn't be schema-aware.
> 
> Thanks in advance!
> Andy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/3153db8c/attachment.html