[keycloak-user] Behind a reverse proxy using context path

Andy Yar andyyar66 at gmail.com
Wed Jan 13 13:07:06 EST 2016


OK, I forgot to mention I used to have the Keycloak set to run on the root
context. So I removed the root context mapping set the "standalone.xml" to
"sso" and customized the nginx settings accordingly.

Now I am able to enter the admin/, although redirecting to the login form
for the master realm ends with an error - "Invalid parameter:
redirect_uri". Apparently the context path "sso/" is ignored by a security
pattern.

Log dump:
2016-01-13 17:06:21,858 DEBUG
[org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-15)
replacing relative valid redirect with:
https://domain.foo/auth/admin/master/console/*
2016-01-13 17:06:21,876 WARN  [org.keycloak.events] (default task-15)
type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
userId=null, ipAddress=x.x.x.x, error=invalid_redirect_uri,
response_type=code, redirect_uri=
https://domain.foo/sso/admin/master/console/, response_mode=fragment

Thanks
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Tento
email byl odeslán z počítače bez virů, chráněného programem Avast.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Jan 13, 2016 at 2:44 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Looks like it may be a bug caused by context-path on the server being
> different than context-path on the reverse proxy.
>
> Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in
> standalone.xml to "sso". If that works please create a bug.
>
> On 13 January 2016 at 14:27, Andy Yar <andyyar66 at gmail.com> wrote:
>
>> Hello,
>> I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy
>> (nginx). The WildFly is configured for proxying according to the Keycloak
>> guide and the proxy sends the needed custom HTTP headers.
>>
>> I have a public SSL secured domain and nginx proxying requests to
>> internal WildFly server. I would like to use URL: https://domain.foo/sso/
>> to access the Keycloak (internal WildFly). I guess the context path (sso/)
>> is important here.
>>
>> Accessing the address I can reach the Keycloak default welcome page.
>> However, a GET https://domain.foo/sso/admin results in 302 to Location:
>> https://domain.foo/admin/master/console/. Obviously this redirect fails
>> because its Location misses the needed context path (sso/). Adding the
>> context path to a request manually results in a 200 but following resources
>> fail to download because of the missing context path part of URL.
>>
>> Is my configuration wrong? Is there a way how the original base URL can
>> be set? Is it even possible to have it behind a reverse proxy not running
>> at root context? Is the origin detection broken?
>>
>> Thanks in advance
>> Andy
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/03a72bb6/attachment.html 


More information about the keycloak-user mailing list