[keycloak-user] Redirect issue with HTTPS and Proxy

[Yang Yang]

Hello,

I am trying to make keycloak work behind a Nginx proxy with HTTPS, but got an redirect issue. Could you help to shed some light?

1. keycloak in standalone mode is installed on local_ip_a and public_ip_a, while Nginx is on local_ip_b and public_ip_b. local_ip_a and local_ip_b are in the same subnet.
2. keycloak works fine with https when I reach it with local_ip_a or public_ip_a, following guide here <https://www.keycloak.org/docs/6.0/server_installation/index.html#enabling-ssl-https-for-the-keycloak-server> 
...
            <security-realm name="UndertowRealm">
                <server-identities>
                    <ssl>
                        <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
                    </ssl>
                </server-identities>
            </security-realm>
…
<server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
...
3. my nginx configuration for keycloak is as below:
…
    server {
        listen       8443 ssl;
...
location /auth/ {
            proxy_pass https://local_ip_a:8443/auth/;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
        }
…
4. I set the fixed provide following this <https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_admin/topics/threat/host.adoc>:
            <spi name="hostname">
                <default-provider>request</default-provider>
                <provider name="fixed" enabled="true">
                    <properties>
                        <property name="hostname" value="public_ip_b"/>
                        <property name="httpPort" value="-1"/>
                        <property name="httpsPort" value="-1"/>
                    </properties>
                </provider>
            </spi>
5. I was able to get the keycloak welcome page at https://public_ip_b:8443/auth/, but when accessing https://public_ip_b:8443/auth/admin, I was redirected to https://public_ip_b:8443/auth/admin/master/console/ and then to the following address:
https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fpublic_ip_b%3A8443%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=c0047434-9a34-4fee-8b18-ae9f2c696683&response_mode=fragment&response_type=code&scope=openid&nonce=c5fb0f27-2a0a-4248-9833-6655f9c29f7e
6. The keycloak message tells:
22:19:44,848 WARN  [org.keycloak.events] (default task-16) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress= local_ip_b, error=invalid_redirect_uri, redirect_uri=https://public_ip_b:8443/auth/admin/master/console/
7. I tried to add https://public_ip_b:8443/auth/* to security-admin-console setting, but got no luck…