[keycloak-user] Keycloak Securty Proxy redirects to http

Daniel Bachler keycloak at danyx.com
Thu Nov 10 13:20:34 EST 2016


I am having trouble with the Keycloak Securty Proxy. I want to secure a
jupyter notebook with it. When I go to the https enabled url where it is
available (behind the Keycloak Security Proxy), I get redirected to the
Keycloak login screen, but when I submit my details there it tries to
redirect me to the http version of the endpoint and dies.

Here are more details of my setup: The entire setup is hosted in a
Kubernetes cluster, with Traefik acting as a reverse proxy / ingress
controller. Traefik is configured to automatically generate SSL
certificates using Let's Encrypt for all publicly availble services and
handle the SSL termination. All traffic inside the cluster uses plain http.

Inside the cluster is one container that runs the Keycloak server, one that
runs the jupyter notebook and one for the Keycloak Security Proxy.

When I remove the constraints patterns in the config below and just let
traffic through, the https flow works and I can access the site through the
security proxy (but without seeing a login mask at any point of course). It
is only when I enable the authentication workflow that it fails by
redirecting to http.

I don't need authorization / user management for my jupyter notebook, I
just need to make sure that the user logged in successfully, so if there is
another way to configure this that would work in this case that would also
be fine.

Here is my Keycloak Security Proxy config. Please let me know if any other
information would be helpful to debug this situation. Thanks!

  "target-url": "http://jupyter-service:8888/",
  "send-access-token": true,
  "bind-address": "",
  "http-port": "8080",
  "applications": [
      "base-path": "/",
      "adapter-config": {
        "realm": "Testrealm",
        "auth-server-url": "https://OMITTED/auth",
        "ssl-required": "external",
        "resource": "jupyter",
        "public-client": true
      "constraints": [
          "pattern": "/*",
          "roles-allowed": [


More information about the keycloak-user mailing list