[prev in list] [next in list] [prev in thread] [next in thread]
List: keycloak-user
Subject: [keycloak-user] Invalid parameter: redirect_uri behind reverse proxy
From: corentin.dupont () gmail ! com (Corentin Dupont)
Date: 2018-09-26 9:07:02
Message-ID: CAEyhvmpZmg4-kY4+OWdizNWEHt1Opo+dF6VqFFZLcZJsb-TxFw () mail ! gmail ! com
[Download RAW message or body]
Fantastic, it works.
I was using nginx proxy:
proxy_set_header X-Forwarded-Proto $scheme;
However, I'm using two layers of proxy: one for load balancing, one for
micro-services.
So when hitting my second proxy, the HTTPS is lost.
It's solved by forcing HTTPS:
proxy_set_header X-Forwarded-Proto https;
Thanks again.
On Wed, Sep 26, 2018 at 10:13 AM, Henning Waack <
henning.waack at codecentric.de> wrote:
> One thing I see is that your X-Forwarded-Proto header is wrong, it should
> be https and not http. Please take a look at the documentation at
> https://www.keycloak.org/docs/latest/server_installation/index.html#
> identifying-client-ip-addresses for how to configure your reverse-proxy.
> Also make sure that you have set "proxy-address-forwarding=true" in your
> standalone.xml configuration of Wildfly.
>
> Greetings
>
> Henning
>
> Am Di., 25. Sep. 2018 um 18:37 Uhr schrieb Corentin Dupont <
> corentin.dupont at gmail.com>:
>
> > Hello,
> > wWhen opening the admin console: https://keycloak.mysite.com/auth/admin/.
> >
> > The page is redirecting to:
> > https://keycloak.mysite.com/auth/realms/master/protocol/
> > openid-connect/auth?client_id=security-admin-console&
> > redirect_uri=https%3A%2F%2Fkeycloak.mysite.com%2Fauth%
> > 2Fadmin%2Fmaster%2Fconsole%2F&state=580747dc-8471-40be-8d9c-
> > e63af68cf605&response_mode=fragment&response_type=code&
> > scope=openid&nonce=28c85baa-6c76-44d9-8f4a-796a58d29383
> >
> > But I get this message:
> > Invalid parameter: redirect_uri
> >
> > It seems that keycloak doesn't like the https in the redirect. Can it be?
> >
> >
> > My Keycloak is behind a reverse proxy.
> > I setup the following tags in standalone.xml:
> >
> > <http-listener name="default" socket-binding="http" enable-http2="true"
> > proxy-address-forwarding="true" redirect-socket="proxy-https"/>
> > <socket-binding name="proxy-https" port="443"/>
> >
> > My reverse proxy is also setting headers: Host, X-Real-IP,
> > X-Forwarded-For,
> > X-Forwarded-Proto.
> >
> > Using tcpdump, I can see the following headers:
> > GET
> > /auth/resources/4.4.0.final/login/keycloak/node_modules/
> > patternfly/dist/fonts/OpenSans-Light-webfont.woff2
> > HTTP/1.0
> > Host: keycloak.staging.waziup.io
> > X-Real-IP: 18.195.197.182
> > X-Forwarded-For: 217.77.82.229, 18.195.197.182
> > X-Forwarded-Proto: http
> > Connection: close
> > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0)
> > Gecko/20100101
> > Firefox/62.0
> > Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/
> > *;q=0.8
> > Accept-Language: en-US,en;q=0.5
> > Accept-Encoding: identity
> > Referer:
> > https://keycloak.staging.waziup.io/auth/resources/4.4.
> > 0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly.css
> > Cookie: _ga=GA1.2.823033289.1537866165; _gid=GA1.2.861449812.1537866165
> > Pragma: no-cache
> > Cache-Control: no-cache
> >
> > Are they correct?
> > Thanks a lot
> > Corentin
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> --
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG | Hochstra?e 11
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |Deutschland
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> blog.codecentric.de | www.meettheexperts.de
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz
>
> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
> und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
> Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
> bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
> beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
> evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
> nicht gestattet.
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic