invalid redirect_uri Keycloak when client is not on localhost

Question

I've got my Keycloak Server deployed on aws EC2 behind a reverse Proxy and my Frontend client (Springbootapp) sits on a different EC2.

Now I get Invalid redirect_uri error, although it works when front-client is on localhost and Keycloak on aws. i.e.

Keycloak is reachable under: http://api.my-kc.site/

Valid Redirect URIs: http://localhost:8012/* and /login/* WORKS

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=http%3A%2F%2Flocalhost%3A8012%2Fsso%2Flogin&state=53185486-ef52-44a7-8304-ac4cfeb575ee&login=true&scope=openid

Valid Redirect URIs: http://awspublicip:80/* and /login/* does not WORK And I also tried the suggestion not to specify the port, i.e http://awspublicip/*; but still this doesnt work :/

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=https%3A%2F%2Fawspublicip%3A0%2Fsso%2Flogin&state=8bbb01e7-ad4d-4ee1-83fa-efb7f05397cc&login=true&scope=openid

Does anyone have an idea? I've been looking all the Invalid redirect_uri post, but nothing seem to add up.

It seems Keycloack generates different redirect URis for the query when the initiator of the request is not localhost. Does someone know how to avoid this?

localhost

public dns

What do you mean with `does not work`? Have a look at keycloak logs, do you get anything displayed? — Aritz, Jul 11 '18 at 08:27
08:37:31,385 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=WebApps, clientId=product-app, userId=null, ipAddress=84.59.129.188, error=invalid_redirect_uri, redirect_uri=https://api.my-kc-webapp.site:0/sso/login — Indranil Ariunbold, Jul 11 '18 at 08:39
It seems like you don't have KC properly set up to work with a reverse proxy. Have you followed the steps for that? — Aritz, Jul 11 '18 at 08:46
@IndranilAriunbold did you figure this out? I'm having the same issue. Did you notice, the redirect_uri has port 0 in it. "invalid_redirect_uri, redirect_uri=api.my-kc-webapp.site:0/" <-- Is that ok? I've been trying to track down where that's breaking down for me too. — Dean Poulin, Oct 05 '18 at 06:36

score 5 · Answer 1 · answered Oct 05 '18 at 10:45

I was having the same exact problem. My spring boot app sits behind nginx. I updated nginx to pass through the x-forwarded headers and updated the spring boot config with

spring boot yaml config:

server:
  use-forward-headers: true    

keycloak:
  realm: myrealm
  public-client: true
  resource: myclient
  auth-server-url: https://sso.example.com:443/auth
  ssl-required: external
  confidential-port: 443

nginx config:

upstream app {
   server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
   server 1.2.3.5:8042 max_fails=1 fail_timeout=60s;
}

server {
    listen 443;
    server_name www.example.com;

    ...

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        X-Forwarded-Host $host;
        proxy_set_header        X-Forwarded-Port   443;

        proxy_next_upstream     error timeout invalid_header http_500;
        proxy_connect_timeout   2;

        proxy_pass          http://app;
    }
}

The specific change that made it work for me was adding keycloak.confidential-port. Once I added that it was no longer adding port 0 in the redirect_uri.

The only setting I have in Keycloak > Cofigure > Realm > Clients > my-client is Valid Redirect URIs set to: https://www.example.com/*

Hope that helps. It took me hours to track this down and get it working.

Thanks, for me `proxy_set_header X-Forwarded-Port 443;` really did the trick! (I use port `6005`, though). Thank you. — Samuel, Jul 09 '22 at 12:04

score 1 · Answer 2 · answered Jul 11 '18 at 01:47

1

It seems that the query parameter "redirect_url" didn't match the setting of valid redirect URIs.

redirect_url: https%3A%2F%2Fawspublicip%3A0%2Fsso%2Flogin <- It's https Valid Redirect URIs: http://awspublicip:80/* <- But it's http

answered Jul 11 '18 at 01:47

guanxiaohua2k6

371
1
5

Thank you for the quick reply! It seems Keycloack generates different redirect URis for the query when the initiator of the request is not localhost. Does someone know how to avoid this? – Indranil Ariunbold Jul 11 '18 at 07:03
I've tried : http://api.my-kc-webdb.site:8012/* http://api.my-kc-webdb.site:8012* http://api.my-kc-webdb.site:8012/sso/login/* http://api.my-kc-webdb.site/* http://api.my-kc-webdb.site/sso/login/* http://api.my-kc-webdb.site* – Indranil Ariunbold Jul 11 '18 at 08:57
Sorry for the last comment. What I wanted to say is that have you added the following url to Valid Redirect URIs? [https://awspublicip/*](https://awspublicip/*) – guanxiaohua2k6 Jul 11 '18 at 13:16
I think you should add the url of HTTPS. – guanxiaohua2k6 Jul 11 '18 at 13:19
Yeah, meaning my client have to be able to serve https. I have configured my proxy over and over, and still no changes (so that i wont use https) – Indranil Ariunbold Jul 11 '18 at 15:21
Can you add https version of url to "Valid Redirect URIs" of keycloak? – guanxiaohua2k6 Jul 18 '18 at 08:25

score 0 · Answer 3 · answered Jun 21 '22 at 06:20

in my case, I have a Spring boot application uses Keycloak as auth. provider. Used to work fine when redirecting to http://localhost:8080/*. But didn't work when deployed since the redirection is to https://.../*.

Adding server.forward-headers-strategy=framework to application.properties did the magic.

invalid redirect_uri Keycloak when client is not on localhost

3 Answers3