Get internal/wrong redirect_uri

Hello,

we have a problem with our setup of keycloak, maybe someone can help us here.

Setup

  • keycloak in a Docker Container.
  • spring boot application with keycloak spring boot starter
  • kubernetes which starts the spring boot application packaged in a docker image
  • nginx in front of spring boot application

Configuration:

nginx:

        proxy_set_header   Host $http_host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host  $host;
        proxy_set_header   X-Forwarded-Server  $host;
        proxy_set_header   X-Forwarded-Port  $server_port;
        proxy_set_header   X-Forwarded-Proto $scheme;

Spring Boot tomcat config:

server:
  use-forward-headers: true
  tomcat:
    remote_ip_header: X-FORWARDED-FOR
    protocol_header: X-FORWARDED-PROTO

java adapter config

keycloak:
  enabled: true
  realm: <realm>
  auth-server-url: <auth-server-url>
  resource: api
  ssl-required: all
  always-refresh-token: false
  public-client: true

keycloak standalone.xml and standalone-ha.xml
the http listener and https listener both have proxy-address-forwarding=“true”

If the spring boot application is executed as standalone app the redirect to login and back to the application works.

if the spring boot application is executed within kubernetes the redirect to login works, but the redirect_uri back to the application is the internal kubernetes service name e.g. ui.default.svc.cluster.local.
This endpoint is wrong because it’s not accessible from outside.

Can anyone help here?

We found the problem, which is solved with Spring Boot 2.2.0.

Spring Boot uses RemoteIpValve to handle the incoming request. It was not possible to define the host header key. With Spring Boot 2.2.0 there is the possibility to configure the header key. See also Bug.

The default is set to “X-Forwarded-Host” which solves our problem.