Login/Register
invalid redirect_uri Keycloak when client is not on localhost
Asked Answered
amazon-ec2keycloakjwilder-nginx-proxy
A

4

7

I've got my Keycloak Server deployed on aws EC2 behind a reverse Proxy and my Frontend client (Springbootapp) sits on a different EC2.

Now I get Invalid redirect_uri error, although it works when front-client is on localhost and Keycloak on aws. i.e.

Keycloak is reachable under: http://api.my-kc.site/

Valid Redirect URIs: http://localhost:8012/* and /login/* WORKS

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=http%3A%2F%2Flocalhost%3A8012%2Fsso%2Flogin&state=53185486-ef52-44a7-8304-ac4cfeb575ee&login=true&scope=openid

Valid Redirect URIs: http://awspublicip:80/* and /login/* does not WORK And I also tried the suggestion not to specify the port, i.e http://awspublicip/*; but still this doesnt work :/

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=https%3A%2F%2Fawspublicip%3A0%2Fsso%2Flogin&state=8bbb01e7-ad4d-4ee1-83fa-efb7f05397cc&login=true&scope=openid

Does anyone have an idea? I've been looking all the Invalid redirect_uri post, but nothing seem to add up.

It seems Keycloack generates different redirect URis for the query when the initiator of the request is not localhost. Does someone know how to avoid this?

localhost

public dns

Assumptive answered 11/7, 2018 at 0:58 Comment(5)
What do you mean with does not work? Have a look at keycloak logs, do you get anything displayed?Rhodic
08:37:31,385 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=WebApps, clientId=product-app, userId=null, ipAddress=84.59.129.188, error=invalid_redirect_uri, redirect_uri=api.my-kc-webapp.site:0/sso/loginAssumptive
It seems like you don't have KC properly set up to work with a reverse proxy. Have you followed the steps for that?Rhodic
Thanks! I'll check my configuration againAssumptive
@IndranilAriunbold did you figure this out? I'm having the same issue. Did you notice, the redirect_uri has port 0 in it. "invalid_redirect_uri, redirect_uri=api.my-kc-webapp.site:0/" <-- Is that ok? I've been trying to track down where that's breaking down for me too.Liaoning
L
5

I was having the same exact problem. My spring boot app sits behind nginx. I updated nginx to pass through the x-forwarded headers and updated the spring boot config with

spring boot yaml config:

server:
  use-forward-headers: true    

keycloak:
  realm: myrealm
  public-client: true
  resource: myclient
  auth-server-url: https://sso.example.com:443/auth
  ssl-required: external
  confidential-port: 443

nginx config:

upstream app {
   server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
   server 1.2.3.5:8042 max_fails=1 fail_timeout=60s;
}

server {
    listen 443;
    server_name www.example.com;

    ...

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        X-Forwarded-Host $host;
        proxy_set_header        X-Forwarded-Port   443;

        proxy_next_upstream     error timeout invalid_header http_500;
        proxy_connect_timeout   2;

        proxy_pass          http://app;
    }
}

The specific change that made it work for me was adding keycloak.confidential-port. Once I added that it was no longer adding port 0 in the redirect_uri.

The only setting I have in Keycloak > Cofigure > Realm > Clients > my-client is Valid Redirect URIs set to: https://www.example.com/*

Hope that helps. It took me hours to track this down and get it working.

Liaoning answered 5/10, 2018 at 10:45 Comment(1)
Thanks, for me proxy_set_header X-Forwarded-Port 443; really did the trick! (I use port 6005, though). Thank you.Supervisor
L
2

in my case, I have a Spring boot application uses Keycloak as auth. provider. Used to work fine when redirecting to http://localhost:8080/*. But didn't work when deployed since the redirection is to https://.../*.

Adding server.forward-headers-strategy=framework to application.properties did the magic.

Lutherlutheran answered 21/6, 2022 at 6:20 Comment(1)
I was using keycloak 21 with Spring Boot, Keycloak with ngInx, tried all the combinations to set the redirect url. Finally this worked. Thanks a ton friend...Wallpaper
G
1

It seems that the query parameter "redirect_url" didn't match the setting of valid redirect URIs.

redirect_url: https%3A%2F%2Fawspublicip%3A0%2Fsso%2Flogin <- It's https Valid Redirect URIs: http://awspublicip:80/* <- But it's http

Garik answered 11/7, 2018 at 1:47 Comment(6)
Thank you for the quick reply! It seems Keycloack generates different redirect URis for the query when the initiator of the request is not localhost. Does someone know how to avoid this?Assumptive
I've tried : api.my-kc-webdb.site:8012* api.my-kc-webdb.site:8012* api.my-kc-webdb.site:8012/sso/login* api.my-kc-webdb.site* api.my-kc-webdb.site/sso/login* api.my-kc-webdb.site*Assumptive
Sorry for the last comment. What I wanted to say is that have you added the following url to Valid Redirect URIs? https://awspublicip/*Garik
I think you should add the url of HTTPS.Garik
Yeah, meaning my client have to be able to serve https. I have configured my proxy over and over, and still no changes (so that i wont use https)Assumptive
Can you add https version of url to "Valid Redirect URIs" of keycloak?Garik
C
0

It works after fixing these configs in two tabs.

  1. account
  2. account-console

enter image description here

Here in both of the links you have to set your own redirect URL and also remove the rootURL.

After that make sure to add the * in the web origins.

enter image description here

Colliery answered 16/10, 2023 at 19:49 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.