[keycloak-user] Reverse Proxy - SSL Termination - Invalid parameter: redirect uri

Derek Visch derek.visch at gmail.com
Mon Jul 25 10:51:11 EDT 2016


To solve the redirect-uri issue I spun up a local instance of keycloak,
exported the realm configuration with redirectUri's added for my url
(Example https://testkeycloak.hi/* ).

I added redirect uri's for the following client ID"s, client, master-realm,
and security-admin-console. After I imported the configuration to my test
instance I could not login so I had to run add-user-keycloak.sh -r master
-u admin -p pw (
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/initialization.html)


This allowed me to login, but I have another issue being that I do not see
any of the configuration options available for the master realm (It's just
a white screen ) with the key cloak header picture below.


[image: Inline image 1]



I checked the dev console in chrome and didn't see any loads failing, and
account management screen seems to work properly.


As a few other tests I ran nc -l 8080 and made sure my headers were being
sent properly which is the case.
X-Real-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Proto: https



*Nginx*:
My nginx configuration looks like this:


server {
  listen 80;
  server_name keycloak_testing.leveldatadevelopment.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name keycloak_testing.leveldatadevelopment.com;

  ssl_certificate /etc/nginx/ssl/star.blah.com.crt;
  ssl_certificate_key /etc/nginx/ssl/star.blah.com.key;

  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;

    proxy_pass http://172.123.123.184:8080;
  }
}


*Keycloak*:

I'm running keycloak with this command:  bin/standalone.sh -b 0.0.0.0

standalone.xml -
https://gist.github.com/visch/c9025bfc108f7c597cd1e4e263c02359

master-realm.json (Exported) -
https://gist.github.com/visch/889db21ca9efa4bcb9e1bf9f783b5602



Does anyone have any ideas for other things I should try?

I think https://issues.jboss.org/browse/KEYCLOAK-3283 is a similar issue,
but I could be wrong.



On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch <derek.visch at gmail.com> wrote:

> Trying to setup reverse SSL for keycloak. Having issues finding
> documentation about this, it's mentioned in
> https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html
> but the extra detail that's supposed to be in
> https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could
> not find in regards to reverse SSL proxys.
>
> Regardless I ended up following
> http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
>
> From that previous mailling list post:
>
> Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.
>
> First add proxy-address-forwarding and redirect-socket to the http-listener element:
>
> <subsystem xmlns="urn:jboss:domain:undertow:1.1">
>     ...
>     <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
>     ...
> </subsystem>
>
> Then add a new socket-binding element to the socket-binding-group element:
>
> <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
>     ...
>     <socket-binding name="proxy-https" port="443"/>
>     ...
> </socket-binding-group>
>
>
>
> but now when I go to log on to the admin console I get "We're sorry ...
> Invalid aparameter: redirect uri".
>
>
>
> Tried stack overflow / google / IRC. No luck so far.
>
> Any help would be appreciated :D
>
> Thanks
>
>
>


-- 

*Derek Visch* / Software Developer / Network Technician
dvisch at leveldata.com <bipema at leveldata.com> / Direct: 269-488-2037

*Level Data Inc.*
Office: 866.511.3282
4787 Campus Dr. | Kalamazoo, MI 49008
http://www.leveldata.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160725/e212a981/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 17764 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160725/e212a981/attachment-0001.png 


More information about the keycloak-user mailing list