Invalid redirect_uri Keycloak when client is not on localhost

amazon ec2jwilder-nginx-proxykeycloak

I've got my Keycloak Server deployed on aws EC2 behind a reverse Proxy and my Frontend client (Springbootapp) sits on a different EC2.

Now I get Invalid redirect_uri error, although it works when front-client is on localhost and Keycloak on aws. i.e.

Keycloak is reachable under: http://api.my-kc.site/

Valid Redirect URIs: http://localhost:8012/* and /login/* WORKS

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=http%3A%2F%2Flocalhost%3A8012%2Fsso%2Flogin&state=53185486-ef52-44a7-8304-ac4cfeb575ee&login=true&scope=openid

Valid Redirect URIs: http://awspublicip:80/* and /login/* does not WORK
And I also tried the suggestion not to specify the port, i.e http://awspublicip/*; but still this doesnt work :/

The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=https%3A%2F%2Fawspublicip%3A0%2Fsso%2Flogin&state=8bbb01e7-ad4d-4ee1-83fa-efb7f05397cc&login=true&scope=openid

Does anyone have an idea? I've been looking all the Invalid redirect_uri post, but nothing seem to add up.

It seems Keycloack generates different redirect URis for the query when the initiator of the request is not localhost. Does someone know how to avoid this?

localhost

public dns

Best Answer

I was having the same exact problem. My spring boot app sits behind nginx. I updated nginx to pass through the x-forwarded headers and updated the spring boot config with

spring boot yaml config:

server:
  use-forward-headers: true    

keycloak:
  realm: myrealm
  public-client: true
  resource: myclient
  auth-server-url: https://sso.example.com:443/auth
  ssl-required: external
  confidential-port: 443

nginx config:

upstream app {
   server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
   server 1.2.3.5:8042 max_fails=1 fail_timeout=60s;
}

server {
    listen 443;
    server_name www.example.com;

    ...

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        X-Forwarded-Host $host;
        proxy_set_header        X-Forwarded-Port   443;

        proxy_next_upstream     error timeout invalid_header http_500;
        proxy_connect_timeout   2;

        proxy_pass          http://app;
    }
}

The specific change that made it work for me was adding keycloak.confidential-port. Once I added that it was no longer adding port 0 in the redirect_uri.

The only setting I have in Keycloak > Cofigure > Realm > Clients > my-client is Valid Redirect URIs set to: https://www.example.com/*

Hope that helps. It took me hours to track this down and get it working.

Related Topic