[keycloak-user] Access to security-admin-console via SSL is prohibited?

Wed Nov 28 06:02:09 EST 2018

Hi.

I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL.
Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fmyserver.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=a69fd981-6daa-4cbd-a231-0907376a8338&response_mode=fragment&response_type=code&scope=openid&nonce=c8f30e79-f7a6-4cad-8ce3-c2aab81964e4

But this request ends in status 400 with the response "Invalid parameter: redirect_uri"
On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely.
I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/)
which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http
---
Content Security Policy: The page’s settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html?version=4.6.0.final (“frame-src”).
---

So it looks like i'm effectively locked out.

Based on my current situation i have three questions.
1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed?
2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is?
3. Does anybody know what to change now (via admin cli i guess) to get access to the UI?

Thanks for your help.

Kind regards,
Dominic
real,- Digital Services GmbH, Sitz: Duesseldorf

Amtsgericht Duesseldorf, HRB 75643

Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge

Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.