[keycloak-user] Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy

Guy Bowdler guybowdler at dorsetnetworks.com
Wed Jul 20 07:14:49 EDT 2016 

To close this issue off, we have fixed (worked around?) this.   Having 
established that trailing slashes in the config files cause different 
symptoms, we found that the URL without a trailing slash (ie 
host.domain.tld/sitename) downloaded the main document but relative URLs 
were not created correctly and missed out the "sitename".  Manually 
adding the trailing slash or setting a base tag in the site code worked 
around this but ultimately we fixed this using a rewrite rule in nginx 
(rewrite ^/sitename$ https://host.domain/tld/sitename/;).

This seemed to be just a symptom of having chained proxies and is 
nothing specific of the keycloak security proxy, or NGINX.

thanks to those that offered help.

kind regards

Guy



On 2016-06-22 12:22, Guy Bowdler wrote:
> hi all,
> 
> We have the following set up with two DMZ boxes, one running a single
> KeyCloak security proxy and sending requests to a local NGINX proxy
> which farms out requests to internal applications.  This should allow 
> us
> to maintain a single namespace for all applications (<hostname>/appname
> redirects to appname.local) and gives authenticated visibility of who's
> accessing what at the front end proxy.
> 
> 
>     DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080]  ---> TRUST: [Various
> applications]
>                                                 ---> TRUST: [Various
> applications]
> 
> 
> 
> Keycloak runs on its own server and is published via an NGINX proxy in
> the DMZ
> 
> 
>     DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
> 
> 
> So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
> and then after logging in, we get an "invalid Redirect URI" error from
> Keycloak.   We've found that for some reason, the redirect URL from
> KeyCloak is appending the :8080 port value from the KeyCloak Security
> proxy (verified as if we change this port number, the value changes in
> the redirect URL).  It's like KeyCloak is redirecting back to the
> NGINX:8080 proxy direct rather than back to the KeyCloak security 
> proxy,
> which is what we were expecting.   This is possibly by design, or
> possibly a bug, or possibly a side effect of our configuration.
> 
> Has anyone tried using the KeyCloak security proxy in this manner?  
> It's
> clear that the intended use is as a single instance adapter for a 
> single
> local application, whereas our application happens to be an nginx proxy
> redirecting to different applications using location directives.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list