[keycloak-user] How can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP?

Todd A. Mancini todd at toddmancini.com
Mon Mar 18 07:18:56 EDT 2019


Figured it out -- needed to set PROXY_ADDRESS_FORWARDING to true on my Keycloak container.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Todd A. Mancini
Sent: Sunday, March 17, 2019 8:28 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] How can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP?

Loving Keycloak (amazing work) and hoping I'm just missing something obvious. I've got a GitHub identity provider and all is working well except for one thing. My Keycloak server is on HTTP, sitting behind a reverse proxy handling all of the TLS goodness. When I look at the GitHub Identity Provider, it shows http://keycloak/auth/realms/myrealm/broker/github/endpoint. My app server is available at https://example.com, even though it, too, is actually only running HTTP and the rev proxy is doing the TLS. For the most part, everything works as expected. (FYI, the reverse proxy forwards all traffic to https://example.com/auth to http://keycloak/auth.)

The one thing not working 100% properly is the redirect uri sent to GitHub. It's HTTP, not HTTPS.

It is correctly getting the new host name (e.g. it becomes http://example.com/auth/realms/myrealm/broker/github/endpoint), but even though my browser is hitting https://example.com, the redirect uri sent to GitHub is HTTP. GitHub complains that it's not the right redirect url, because on GitHub I've set it to https://example.com/auth/realms/myrealm/broker/github/endpoint. If I change the OAuth redirect URL on GitHub to expect HTTP instead of HTTPS, everything works...except that I'm now doing the final handshake over HTTP. (The rev proxy actually forces a redirect to HTTPS, but, by that point, the damage has been done.)

So my question is, how can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP? How is KC even deciding to use HTTP v HTTPS? I've tried requiring SSL on the Realm login settings, but that did not seem to impact the generation of the Redirect URI.

                Many thanks!
                -Todd
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list