Attempting to connect Spring-Boot app to Keycloak with SSL

Question

I am working on a Katacoda scenario in which I connect a spring-boot application to a KeyCloak. I wanted to make it pretty minimal so here are my configs:

pom.xml

    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-spring-boot-starter</artifactId>
        <version>10.0.1</version>
    </dependency>
    </dependencies>

Application Properties

#Keycloak Properties
#Katcoda Url
keycloak.auth-server-url=https://2886795315-8444-ollie02.environments.katacoda.com/auth
keycloak.realm=todoRealm
#Client
keycloak.resource=openid-login-client
keycloak.public-client=true

My issue is when I hit an endpoint on my application it redirects correctly to the login page. But the problem is that the redirect_uri it passes in is not ssl so http://2886795315-8080-ollie02.environments.katacoda.com/v1/todos which causes a CORs issue.

I added this property to try to force https:

keycloak.ssl-required=all

But then it changes the redirect_uri param it is passing into the keycloak login to https://2886795315-8080-ollie02.environments.katacoda.com:0/v1/todos

Does anyone have any idea why the url path has :0 appended to the front?

score 0 · Answer 1 · answered Aug 25 '20 at 14:55

This could be a duplicate of this answer.

This is part of the Keycloak security defaults where it is promoting using a non-standard port for the SSL connection. This can be set in the Keycloak environment with the KEYCLOAK_HTTPS_PORT=4443 for example.

For the application (client) this can then require that (when for example ssl-required=all is set) the application will need to know this port (i.e. whatever the the KEYCLOAK_HTTPS_PORT is set as). To explicitly set this port in the application, so that it does not default to :0 use the keycloak.confidential-port=4443 property.

Because you are using nginx then this can of course be handled by a proxy pass directive in which case it is simply to set the keycloak.confidential-port property to a standard 443 for SSL.

Not to over-complicate things, but you could of course use a seperate proxy-pass directive for a non-standard port in NginX that would handle the client SSL connections to the Keycloak back-end.

(remind me to please find the documentation links for this answer)... I haven't the time right now.

Attempting to connect Spring-Boot app to Keycloak with SSL

1 Answers1