[keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP)

Gabriel Lavoie glavoie at gmail.com
Wed Nov 30 11:33:45 EST 2016

Hi Andrew,
     The answer is "it depends". When generating tokens or metadata,
Keycloak uses the scheme://hostname:port/ that was used to access it to
fill the different issuers/URLs. The same values must match in the client
JSON file so the client can validate the source of the token.

At the client level, this could be handled by having a custom translation
step over the configuration that accept both schemes and match it to the
issuer, not something that Keycloak seems to support natively last time I

Doing SSO through multiple aliases always has this sort of issues. This is
usually something that should be avoided. Can you keep Keycloak HTTPs and
your application HTTP in your internal network?


2016-11-25 8:08 GMT-05:00 Andrey Saroul <andrey.saroul at gmail.com>:

> We have an idea to isolate our application in our internal network so that
> all communication in that network can go by HTTP.
> So we've set up a public nginx server, witch is responsible for
> establishing https connections.
> Public nginx server forwards requests to another nginx server in secured
> internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
> But this configuration is not working because of invalid redirect issue.
> In our client's json file we have to define auth-server-url with HTTPS
> scheme. When we try to specify HTTP Keycloak no longer works.
> So my question: is it possible to make things work by HTTP in internal
> private network and HTTPS only remain for public access.
> Any guidance will be appreciated.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Gabriel Lavoie
glavoie at gmail.com

More information about the keycloak-user mailing list