[keycloak-user] Redirect issue with HTTPS and Proxy
Yang Yang
yy8402 at icloud.com
Mon Jul 15 23:23:23 EDT 2019
Hello,
I found a mistake in my configuration below and have solved it.
In #4, the default-provider should be “fixed".
Thanks for your time.
Thanks,
Yang
> On Jul 15, 2019, at 23:03, Yang Yang <yy8402 at icloud.com> wrote:
>
> Hello,
>
> I am trying to make keycloak work behind a Nginx proxy with HTTPS, but got an redirect issue. Could you help to shed some light?
>
> 1. keycloak in standalone mode is installed on local_ip_a and public_ip_a, while Nginx is on local_ip_b and public_ip_b. local_ip_a and local_ip_b are in the same subnet.
> 2. keycloak works fine with https when I reach it with local_ip_a or public_ip_a, following guide here <https://www.keycloak.org/docs/6.0/server_installation/index.html#enabling-ssl-https-for-the-keycloak-server>
> ...
> <security-realm name="UndertowRealm">
> <server-identities>
> <ssl>
> <keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
> </ssl>
> </server-identities>
> </security-realm>
> …
> <server name="default-server">
> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
> <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable-http2="true"/>
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <http-invoker security-realm="ApplicationRealm"/>
> </host>
> </server>
> ...
> 3. my nginx configuration for keycloak is as below:
> …
> server {
> listen 8443 ssl;
> ...
> location /auth/ {
> proxy_pass https://local_ip_a:8443/auth/ <https://local_ip_a:8443/auth/>;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> }
> …
> 4. I set the fixed provide following this <https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_admin/topics/threat/host.adoc>:
> <spi name="hostname">
> <default-provider>request</default-provider>
> <provider name="fixed" enabled="true">
> <properties>
> <property name="hostname" value="public_ip_b"/>
> <property name="httpPort" value="-1"/>
> <property name="httpsPort" value="-1"/>
> </properties>
> </provider>
> </spi>
> 5. I was able to get the keycloak welcome page at https://public_ip_b:8443/auth/ <https://public_ip_b:8443/auth/>, but when accessing https://public_ip_b:8443/auth/admin <https://public_ip_b:8443/auth/admin>, I was redirected to https://public_ip_b:8443/auth/admin/master/console/ <https://public_ip_b:8443/auth/admin/master/console/> and then to the following address:
> https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fpublic_ip_b%3A8443%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=c0047434-9a34-4fee-8b18-ae9f2c696683&response_mode=fragment&response_type=code&scope=openid&nonce=c5fb0f27-2a0a-4248-9833-6655f9c29f7e <https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fpublic_ip_b%3A8443%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=c0047434-9a34-4fee-8b18-ae9f2c696683&response_mode=fragment&response_type=code&scope=openid&nonce=c5fb0f27-2a0a-4248-9833-6655f9c29f7e>
> 6. The keycloak message tells:
> 22:19:44,848 WARN [org.keycloak.events] (default task-16) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress= local_ip_b, error=invalid_redirect_uri, redirect_uri=https://public_ip_b:8443/auth/admin/master/console/ <https://public_ip_b:8443/auth/admin/master/console/>
> 7. I tried to add https://public_ip_b:8443/auth/* <https://public_ip_b:8443/auth/*> to security-admin-console setting, but got no luck…
> <Screen Shot 2019-07-15 at 22.54.58.png>
>
More information about the keycloak-user
mailing list