I've got my Keycloak Server deployed on aws EC2 behind a reverse Proxy and my Frontend client (Springbootapp) sits on a different EC2.
Now I get Invalid redirect_uri error, although it works when front-client is on localhost and Keycloak on aws. i.e.
Keycloak is reachable under: http://api.my-kc.site/
Valid Redirect URIs: http://localhost:8012/* and /login/*
WORKS
The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=http%3A%2F%2Flocalhost%3A8012%2Fsso%2Flogin&state=53185486-ef52-44a7-8304-ac4cfeb575ee&login=true&scope=openid
Valid Redirect URIs: http://awspublicip:80/* and /login/*
does not WORK
And I also tried the suggestion not to specify the port, i.e http://awspublicip/*; but still this doesnt work :/
The Query: https://api.my-kc.site/auth/realms/WebApps/protocol/openid-connect/auth?response_type=code&client_id=product-app&redirect_uri=https%3A%2F%2Fawspublicip%3A0%2Fsso%2Flogin&state=8bbb01e7-ad4d-4ee1-83fa-efb7f05397cc&login=true&scope=openid
Does anyone have an idea? I've been looking all the Invalid redirect_uri post, but nothing seem to add up.
It seems Keycloack generates different redirect URis for the query when the initiator of the request is not localhost. Does someone know how to avoid this?
Best Answer
I was having the same exact problem. My spring boot app sits behind nginx. I updated nginx to pass through the x-forwarded headers and updated the spring boot config with
spring boot yaml config:
nginx config:
The specific change that made it work for me was adding
keycloak.confidential-port
. Once I added that it was no longer adding port 0 in the redirect_uri.The only setting I have in Keycloak > Cofigure > Realm > Clients > my-client is
Valid Redirect URIs
set to:https://www.example.com/*
Hope that helps. It took me hours to track this down and get it working.