why is keycloak removing the SSL in the redirect uri?

Question

We have a simple requirement where: PS: https:/ === https://

When user hits https:/company_landing.company.com , they should be redirected to keycloak login page (at https:/ourcompany-keycloak.company.com). User enters his/her keycloak login credentials. Upon successful login to keycloak , they will be presented to the company_landing page.

The trouble is :

When User types - https:/company_landing.company.com

Keycloak tries to bring up the landing page but gives 500 Internal server error and says "Incorrect redirect uri" and in the browser I see this:

https:/ourcompany-keycloak.company.com/auth/realms/realm1/tokens/login?client_id=company_dev&state=aaaafffff-559d-4312-a8be-123412341234&redirect_uri=http%3A%2F%2Fcompany_landing.company.com%3A8081%2F%3Fauth_callback%3D1

If you observe the redirect uri above, I think the problem is that instead of https the redirect uri starts with http and http:/company-landing.company.com doesn't exist.

Settings: keycloak settings: -

Realm --> settings --> login : Require SSL = all Requests (tried with "external" also)

Applications-->realm1-->settings-->Redirect URI = https://company_landing.company.com/*

AWS load balancer: Port config: 443(https) forwarding to 8443

I am confused as to why it is stripping the SSL? The above works fine when testing on local environment(probably because its http://localhost) but this always gives an invalid redirect url when trying to access any link that is ssl encrypted.

-mm

Sorry forgot to update this. I think the problem was that the AWS loadbalancer settings were incorrect. I resolved this by choosing the following for Load balancer listener settings : 443 and https for loadbalancer port and protocol AND 80 and https for instance port and protocol. — mmraj, Sep 29 '15 at 17:22
Port 80 and HTTPS? ok, so you also installed the certificate on the instance behind the ELB? — Amir Mehler, Nov 04 '15 at 15:35
Yes , we also initated the certificate on th instance behind the ELB — mmraj, Nov 11 '15 at 23:31
so you have got this working now? i'm having the same issue. im using nginx as loadbalancer/reverse proxy — marcusturewicz, Jun 13 '17 at 09:45
I'm facing the same issue. Did anyone solve this issue? I'm not using SSL in the EC2 instance, and I dont want that overhead (load balancer and final instance). — Rigoni, Oct 02 '17 at 17:57

score 8 · Answer 1 · answered Jul 12 '16 at 11:27

8

You have to add the following property in the proxy configuration json file, (by default proxy.json) as an application attribute (same level as "adapter-config"):

"proxy-address-forwarding" : true,

This configuration attribute is not documented, however present in the sources of the proxy configuration: https://github.com/keycloak/keycloak/blob/master/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyConfig.java

answered Jul 12 '16 at 11:27

ths

81
1
5

I'm using a helm chart for kubernetes where this is set and I still miss the 's' in 'https'. Is there a way of checking? – RAbraham May 16 '19 at 19:16
2

link is outdated – osacognitive Jan 27 '22 at 20:54

score 4 · Answer 2 · edited Apr 15 '19 at 22:07

You don't need a certificate to be installed or use changes in adapter config.

This needs to be done in your standalone.xml, standalone-ha or domain.xml (as the case may be) as documented in the Keycloak document reverse proxy section https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy

Assuming that your reverse proxy doesn’t use port 8443 for SSL you also need to configure what port HTTPS traffic is redirected to.

<subsystem xmlns="urn:jboss:domain:undertow:4.0">
    ...
    <http-listener name="default" socket-binding="http"
        proxy-address-forwarding="true" redirect-socket="proxy-https"/>
    ...
</subsystem>

Add the redirect-socket attribute to the http-listener element. The value should be proxy-https which points to a socket binding you also need to define.

Then add a new socket-binding element to the socket-binding-group element:

<socket-binding-group name="standard-sockets" default-interface="public"
    port-offset="${jboss.socket.binding.port-offset:0}">
    ...
    <socket-binding name="proxy-https" port="443"/>
    ...
</socket-binding-group>

This way you offload https/ssl/tls handling to your load balancer/ reverse proxy and still use https/ssl — Madhusudanan K K C, Aug 16 '18 at 16:00

why is keycloak removing the SSL in the redirect uri?

2 Answers2

Linked