[keycloak-user] "Invalid parameter: redirect_uri"
Stian Thorgersen
sthorger at redhat.com
Tue Jan 5 02:20:05 EST 2016
Pleased you found out what's going on. Please create an issue.
On 5 January 2016 at 01:40, Paul Blair <pblair at clearme.com> wrote:
> Figured it out — it's a case-sensitivity issue:
>
> https://ApimanLoadBalancer.elb.amazonaws.com/apimanui/*
>
> Fails to match
>
> https://apimanloadbalancer.elb.amazonaws.com/apimanui
> <https://apimanloadbalancer/apimanui>/*
>
> I believe subdomains are case-insensitive. Should I raise an issue on this?
>
>
> From: "pblair at clearme.com" <pblair at clearme.com>
> Date: Mon, 4 Jan 2016 19:32:54 -0500
> To: "pblair at clearme.com" <pblair at clearme.com>, keycloak-user <
> keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] "Invalid parameter: redirect_uri"
>
> I should mention that this happens whether or not I have
> https://[apimanLoadBalancer] in the Root URL field for the Apimanui
> client, or whether or not I have https://[apimanLoadBalancer]/apimanui/*
> in the Valid Redirect URIs, or both. However, if they are present I no
> longer see the DEBUG line "replacing relative valid redirect with…"; I only
> see the WARN message with the failure.
>
> Also, it appears that the URL encoding is a non-issue; at least, I see the
> URLs encoded properly in the browser URL bar even if the "inspect" formats
> them with slashes and colons.
>
>
>
> From: "pblair at clearme.com" <pblair at clearme.com>
> Date: Tue, 5 Jan 2016 00:16:36 +0000
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] "Invalid parameter: redirect_uri"
>
> I am using Keycloak with the apiman API manager. Both are on AWS and are
> behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When
> I request the apiman admin UI page (https://[apimanLoadBalancer]/apimanui),
> I get redirected to the following URL:
>
>
> https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=
> https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true
>
> Keycloak then displays the error "We're Sorry… Invalid parameter:
> redirect_uri"
>
> In the Keycloak log I see:
>
> DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default
> task-7) replacing relative valid redirect with:
> https://[KeycloakLoadBalancer]/apimanui/*
> WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR,
> realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP],
> error=invalid_redirect_uri, response_type=code, redirect_uri=
> https://[apimanLoadBalancer]/apimanui/index.html, response_mode=query
>
> This looks to me as though Keycloak thinks that the redirect URI is a
> relative path. I also notice that the query string parameters for
> redirect_uri are not URL encoded by apiman. Would this be the source of the
> problem?
> _______________________________________________ keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/ee663e9f/attachment.html
More information about the keycloak-user
mailing list