I have Keycloak running inside Docker, fronted by NginX which terminates TLS using LetsEncrypt certificate. Everything works perfectly apart from Dynamic Client Registration Responses
registration_client_uri returns with ip:port, not hostname
curl --location --request POST 'https://example.com/auth/realms/master/clients-registrations/openid-connect' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer INITIAL.ACCESS.TOKEN \
--data-raw '{
"client_name": "savings app",
"token_endpoint_auth_method": "client_secret_basic",
"redirect_uris": ["http://localhost"],
"response_types": ["none"],
"grant_types": ["client_credentials"],
"subject_type": "pairwise"
}'
{
"redirect_uris": [
"http://localhost"
],
"token_endpoint_auth_method": "client_secret_basic",
"grant_types": [
"client_credentials"
],
"response_types": [],
"client_id": "8f0b5303-c7e3-47c3-aec1-5917811811c4",
"client_secret": "1f4e3fc4-b68e-4eca-b696-b8d8826f9a80",
"client_name": "savings app",
"scope": "address phone offline_access microprofile-jwt",
"subject_type": "pairwise",
"request_uris": [],
"tls_client_certificate_bound_access_tokens": false,
"client_id_issued_at": 1640715787,
"client_secret_expires_at": 0,
"registration_client_uri": "https://127.0.0.1:8443/auth/realms/master/clients-registrations/openid-connect/8f0b5303-c7e3-47c3-aec1-5917811811c4", <---------- THIS SHOULD SAY EXAMPLE.COM, not 127.0.0.1:8443
"registration_access_token": "REGISTRATION.ACCESS.TOKEN",
"backchannel_logout_session_required": false,
"require_pushed_authorization_requests": false
}
I have started Keycloak as follows:
docker run -itd --name keycloak --restart unless-stopped --env-file keycloak.env -p 127.0.0.1:8443:8443 --network keycloak jboss/keycloak:15.0.1 -Dkeycloak.profile=preview
cat keycloak.env
KEYCLOAK_USER=foo
KEYCLOAK_PASSWORD=bar
KEYCLOAK_HOSTNAME=example.com
KEYCLOAK_FRONTEND_URL=https://example.com
KEYCLOAK_HTTPS_PORT=443
PROXY_ADDRESS_FORWARDING=true