invalid redirect_uri Keycloak when client is not on localhost

amazon-ec2 keycloak jwilder-nginx-proxy
Indranil Ariunbold picture Indranil Ariunbold · Jul 11, 2018 · Viewed 9.3k times · Source

I've got my Keycloak Server deployed on aws EC2 behind a reverse Proxy and my Frontend client (Springbootapp) sits on a different EC2.

Now I get Invalid redirect_uri error, although it works when front-client is on localhost and Keycloak on aws. i.e.

Keycloak is reachable under: http://api.my-kc.site/

Valid Redirect URIs: http://localhost:8012/* and /login/* WORKS

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=http%3A%2F%2Flocalhost%3A8012%2Fsso%2Flogin&state=53185486-ef52-44a7-8304-ac4cfeb575ee&login=true&scope=openid

Valid Redirect URIs: http://awspublicip:80/* and /login/* does not WORK And I also tried the suggestion not to specify the port, i.e http://awspublicip/*; but still this doesnt work :/

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=https%3A%2F%2Fawspublicip%3A0%2Fsso%2Flogin&state=8bbb01e7-ad4d-4ee1-83fa-efb7f05397cc&login=true&scope=openid

Does anyone have an idea? I've been looking all the Invalid redirect_uri post, but nothing seem to add up.

It seems Keycloack generates different redirect URis for the query when the initiator of the request is not localhost. Does someone know how to avoid this?

localhost

public dns

Answer

Dean Poulin picture Dean Poulin · Oct 5, 2018

I was having the same exact problem. My spring boot app sits behind nginx. I updated nginx to pass through the x-forwarded headers and updated the spring boot config with

spring boot yaml config:

server:
  use-forward-headers: true    

keycloak:
  realm: myrealm
  public-client: true
  resource: myclient
  auth-server-url: https://sso.example.com:443/auth
  ssl-required: external
  confidential-port: 443

nginx config:

upstream app {
   server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
   server 1.2.3.5:8042 max_fails=1 fail_timeout=60s;
}

server {
    listen 443;
    server_name www.example.com;

    ...

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        X-Forwarded-Host $host;
        proxy_set_header        X-Forwarded-Port   443;

        proxy_next_upstream     error timeout invalid_header http_500;
        proxy_connect_timeout   2;

        proxy_pass          http://app;
    }
}

The specific change that made it work for me was adding keycloak.confidential-port. Once I added that it was no longer adding port 0 in the redirect_uri.

The only setting I have in Keycloak > Cofigure > Realm > Clients > my-client is Valid Redirect URIs set to: https://www.example.com/*

Hope that helps. It took me hours to track this down and get it working.

Related questions

Lost httpd.conf file located apache

How can I find where my httpd.conf file is located? I am running an Ubuntu Linux server from the Amazon Web Services EC2 (Elastic Compute Cloud) and I can't find my Apache config.

Read More
Permission denied (publickey) when SSH Access to Amazon EC2 instance

I want to use my Amazon ec2 instance but faced the following error: Permission denied (publickey). I have created my key pair and downloaded .pem file. Given: chmod 600 pem file. Then, this command ssh -i /home/kashif/serverkey.pem ubuntu@…

Read More
Trying to SSH into an Amazon Ec2 instance - permission error

This is probably a stupidly simple question to some :) I've created a new linux instance on Amazon EC2, and as part of that downloaded the .pem file to allow me to SSH in. When I tried to ssh with: ssh …

Read More