DCR registration_client_uri returns with 127.0.0.1:PORT instead of hostname

I have Keycloak running inside Docker, fronted by NginX which terminates TLS using LetsEncrypt certificate. Everything works perfectly apart from Dynamic Client Registration Responses

registration_client_uri returns with ip:port, not hostname

curl --location --request POST 'https://example.com/auth/realms/master/clients-registrations/openid-connect' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer INITIAL.ACCESS.TOKEN \
--data-raw '{
  "client_name": "savings app",
  "token_endpoint_auth_method": "client_secret_basic",
  "redirect_uris": ["http://localhost"],
  "response_types": ["none"],
  "grant_types": ["client_credentials"],
  "subject_type": "pairwise"
}'

{
    "redirect_uris": [
        "http://localhost"
    ],
    "token_endpoint_auth_method": "client_secret_basic",
    "grant_types": [
        "client_credentials"
    ],
    "response_types": [],
    "client_id": "8f0b5303-c7e3-47c3-aec1-5917811811c4",
    "client_secret": "1f4e3fc4-b68e-4eca-b696-b8d8826f9a80",
    "client_name": "savings app",
    "scope": "address phone offline_access microprofile-jwt",
    "subject_type": "pairwise",
    "request_uris": [],
    "tls_client_certificate_bound_access_tokens": false,
    "client_id_issued_at": 1640715787,
    "client_secret_expires_at": 0,
    "registration_client_uri": "https://127.0.0.1:8443/auth/realms/master/clients-registrations/openid-connect/8f0b5303-c7e3-47c3-aec1-5917811811c4", <---------- THIS SHOULD SAY EXAMPLE.COM, not 127.0.0.1:8443
    "registration_access_token": "REGISTRATION.ACCESS.TOKEN",
    "backchannel_logout_session_required": false,
    "require_pushed_authorization_requests": false
}

I have started Keycloak as follows:

docker run -itd --name keycloak --restart unless-stopped --env-file keycloak.env -p 127.0.0.1:8443:8443 --network keycloak jboss/keycloak:15.0.1 -Dkeycloak.profile=preview
cat keycloak.env
KEYCLOAK_USER=foo
KEYCLOAK_PASSWORD=bar
KEYCLOAK_HOSTNAME=example.com
KEYCLOAK_FRONTEND_URL=https://example.com
KEYCLOAK_HTTPS_PORT=443
PROXY_ADDRESS_FORWARDING=true

bump - is this a bug?

I bet (bet, because you didn’t provide your nginx conf) your nginx doesn’t forward host to the keycloak properly:

proxy_set_header    X-Forwarded-Host   $host;
proxy_set_header    Host               $host;
1 Like

This is perfect, thank you!

Did I win with my bet?