Hello,
we have a problem with our setup of keycloak, maybe someone can help us here.
Setup
- keycloak in a Docker Container.
- spring boot application with keycloak spring boot starter
- kubernetes which starts the spring boot application packaged in a docker image
- nginx in front of spring boot application
Configuration:
nginx:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
Spring Boot tomcat config:
server:
use-forward-headers: true
tomcat:
remote_ip_header: X-FORWARDED-FOR
protocol_header: X-FORWARDED-PROTO
java adapter config
keycloak:
enabled: true
realm: <realm>
auth-server-url: <auth-server-url>
resource: api
ssl-required: all
always-refresh-token: false
public-client: true
keycloak standalone.xml and standalone-ha.xml
the http listener and https listener both have proxy-address-forwarding=“true”
If the spring boot application is executed as standalone app the redirect to login and back to the application works.
if the spring boot application is executed within kubernetes the redirect to login works, but the redirect_uri back to the application is the internal kubernetes service name e.g. ui.default.svc.cluster.local.
This endpoint is wrong because it’s not accessible from outside.
Can anyone help here?