[keycloak-user] How can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP?

Todd A. Mancini todd at toddmancini.com
Sun Mar 17 20:28:21 EDT 2019


Loving Keycloak (amazing work) and hoping I'm just missing something obvious. I've got a GitHub identity provider and all is working well except for one thing. My Keycloak server is on HTTP, sitting behind a reverse proxy handling all of the TLS goodness. When I look at the GitHub Identity Provider, it shows http://keycloak/auth/realms/myrealm/broker/github/endpoint. My app server is available at https://example.com, even though it, too, is actually only running HTTP and the rev proxy is doing the TLS. For the most part, everything works as expected. (FYI, the reverse proxy forwards all traffic to https://example.com/auth to http://keycloak/auth.)

The one thing not working 100% properly is the redirect uri sent to GitHub. It's HTTP, not HTTPS.

It is correctly getting the new host name (e.g. it becomes http://example.com/auth/realms/myrealm/broker/github/endpoint), but even though my browser is hitting https://example.com, the redirect uri sent to GitHub is HTTP. GitHub complains that it's not the right redirect url, because on GitHub I've set it to https://example.com/auth/realms/myrealm/broker/github/endpoint. If I change the OAuth redirect URL on GitHub to expect HTTP instead of HTTPS, everything works...except that I'm now doing the final handshake over HTTP. (The rev proxy actually forces a redirect to HTTPS, but, by that point, the damage has been done.)

So my question is, how can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP? How is KC even deciding to use HTTP v HTTPS? I've tried requiring SSL on the Realm login settings, but that did not seem to impact the generation of the Redirect URI.

                Many thanks!
                -Todd


More information about the keycloak-user mailing list