[keycloak-user] Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy

Chris Pitman cpitman at redhat.com
Wed Jun 22 20:59:08 EDT 2016


Hey Guy,

I also use KeyCloak Proxy, pointing to many port numbers that would blow up if they were included in redirect urls. I haven't had any problems, so I'm thinking this may be an issue with your proxy configuration file. Can you share what that looks like?

Chris Pitman
Architect, Red Hat Consulting

----- Original Message -----
> hi all,
> 
> We have the following set up with two DMZ boxes, one running a single
> KeyCloak security proxy and sending requests to a local NGINX proxy
> which farms out requests to internal applications.  This should allow us
> to maintain a single namespace for all applications (<hostname>/appname
> redirects to appname.local) and gives authenticated visibility of who's
> accessing what at the front end proxy.
> 
> 
>     DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080]  ---> TRUST: [Various
> applications]
>                                                 ---> TRUST: [Various
> applications]
> 
> 
> 
> Keycloak runs on its own server and is published via an NGINX proxy in
> the DMZ
> 
> 
>     DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
> 
> 
> So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
> and then after logging in, we get an "invalid Redirect URI" error from
> Keycloak.   We've found that for some reason, the redirect URL from
> KeyCloak is appending the :8080 port value from the KeyCloak Security
> proxy (verified as if we change this port number, the value changes in
> the redirect URL).  It's like KeyCloak is redirecting back to the
> NGINX:8080 proxy direct rather than back to the KeyCloak security proxy,
> which is what we were expecting.   This is possibly by design, or
> possibly a bug, or possibly a side effect of our configuration.
> 
> Has anyone tried using the KeyCloak security proxy in this manner?  It's
> clear that the intended use is as a single instance adapter for a single
> local application, whereas our application happens to be an nginx proxy
> redirecting to different applications using location directives.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


More information about the keycloak-user mailing list