[keycloak-user] Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy
Chris Pitman
cpitman at redhat.com
Wed Jun 22 20:59:08 EDT 2016
Hey Guy,
I also use KeyCloak Proxy, pointing to many port numbers that would blow up if they were included in redirect urls. I haven't had any problems, so I'm thinking this may be an issue with your proxy configuration file. Can you share what that looks like?
Chris Pitman
Architect, Red Hat Consulting
----- Original Message -----
> hi all,
>
> We have the following set up with two DMZ boxes, one running a single
> KeyCloak security proxy and sending requests to a local NGINX proxy
> which farms out requests to internal applications. This should allow us
> to maintain a single namespace for all applications (<hostname>/appname
> redirects to appname.local) and gives authenticated visibility of who's
> accessing what at the front end proxy.
>
>
> DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080] ---> TRUST: [Various
> applications]
> ---> TRUST: [Various
> applications]
>
>
>
> Keycloak runs on its own server and is published via an NGINX proxy in
> the DMZ
>
>
> DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
>
>
> So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
> and then after logging in, we get an "invalid Redirect URI" error from
> Keycloak. We've found that for some reason, the redirect URL from
> KeyCloak is appending the :8080 port value from the KeyCloak Security
> proxy (verified as if we change this port number, the value changes in
> the redirect URL). It's like KeyCloak is redirecting back to the
> NGINX:8080 proxy direct rather than back to the KeyCloak security proxy,
> which is what we were expecting. This is possibly by design, or
> possibly a bug, or possibly a side effect of our configuration.
>
> Has anyone tried using the KeyCloak security proxy in this manner? It's
> clear that the intended use is as a single instance adapter for a single
> local application, whereas our application happens to be an nginx proxy
> redirecting to different applications using location directives.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list