[keycloak-user] Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy

[Guy Bowdler]

hi all,

We have the following set up with two DMZ boxes, one running a single 
KeyCloak security proxy and sending requests to a local NGINX proxy 
which farms out requests to internal applications.  This should allow us 
to maintain a single namespace for all applications (<hostname>/appname 
redirects to appname.local) and gives authenticated visibility of who's 
accessing what at the front end proxy.


    DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080]  ---> TRUST: [Various 
applications]
                                                ---> TRUST: [Various 
applications]



Keycloak runs on its own server and is published via an NGINX proxy in 
the DMZ


    DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]


So clients hit the KeyCloak security Proxy, are redirected to KeyCloak 
and then after logging in, we get an "invalid Redirect URI" error from 
Keycloak.   We've found that for some reason, the redirect URL from 
KeyCloak is appending the :8080 port value from the KeyCloak Security 
proxy (verified as if we change this port number, the value changes in 
the redirect URL).  It's like KeyCloak is redirecting back to the 
NGINX:8080 proxy direct rather than back to the KeyCloak security proxy, 
which is what we were expecting.   This is possibly by design, or 
possibly a bug, or possibly a side effect of our configuration.

Has anyone tried using the KeyCloak security proxy in this manner?  It's 
clear that the intended use is as a single instance adapter for a single 
local application, whereas our application happens to be an nginx proxy 
redirecting to different applications using location directives.