Location header with changed redirect_uri

Getting advice
1

Hi All,

I would ask your opinion about a behavior that has been changed when I upgraded from 3.3.0-Final to 11.0.2 (I know it is a pretty big upgrade).
I have Keycloak integrated in an open-source project called CEDAR, so I will provide exact URLs, these are not secret in any way.

I have my URL in the browser in the following form:

https://cedar.metadatacenter.orgx/instances/create/https://repo.metadatacenter.orgx/templates/18dd4b24-bbbe-41da-9c0e-16c1a0203d24

(Please note the URL has another URL in it, which starts with https://)

I am using the JavaScript library to perform authentication, and that calls the following URL (taken from the Network Panel):

https://auth.metadatacenter.orgx/auth/realms/CEDAR/protocol/openid-connect/auth?client_id=cedar-angular-app&redirect_uri=https%3A%2F%2Fcedar.metadatacenter.orgx%2Finstances%2Fcreate%2Fhttps%3A%2F%2Frepo.metadatacenter.orgx%2Ftemplates%2F18dd4b24-bbbe-41da-9c0e-16c1a0203d24&state=4715527e-519e-43f1-83aa-274cef790a7d&response_mode=fragment&response_type=code&scope=openid&nonce=4ac1d6e7-448e-48e5-be0e-9b63136ad52b

Please note the “https://” being properly encoded as “https%3A%2F%2F”

Now the response to this GET contains the Location header with the following value:

https://cedar.metadatacenter.orgx/instances/create/https:/repo.metadatacenter.orgx/templates/18dd4b24-bbbe-41da-9c0e-16c1a0203d24#state=4715527e-519e-43f1-83aa-274cef790a7d&session_state=ea95bae6-ee1c-45c5-8f11-5d602c75551f&code=7de14b4b-4008-4a3f-af4d-a798cf8075bc.ea95bae6-ee1c-45c5-8f11-5d602c75551f.37064cae-0fb9-40b1-945d-3e0325688d6b

Please note that the location is different from the redirect URL. it only contains “https:/” instead of “https://”

I was looking everywhere (config, docs, internet) for the cause of this behavior, without luck.
I would really appreciate if you would have any information regarding what is causing this, and how to fix it.
We “fixed” the behavior on client-side, but we would really like to solve the issue at its core.

Thank you.

2

When looking at the source code of Keycloak it looks like the redirect URL is being build in https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java on getRedirectUri(String state)

I don’t directly see an issue but maybe you can set the log levels on debug and see what’s being passed down.
If the URI seems to be correct try walking down the code and see where it changes. Also look at deployment.getRedirectRewriteRules() and see if there is a possible issue with those.

It’s also helpful to mention the tech stack you are using. Are you using a proxy, what’s the config, …

Also try the latest 11.0.3

3

Thank you for your ideas, @zonaut.

I did what you suggested: set log levels to DEBUG. I saw some log lines which showed the url, but nothing worth mentioning.
I validated that the getRedirectUri method returns the proper value - I set up a minimalist test bed for it.
So at this moment I think chances are that Keycloak is not causing this.
My stack contains an nginx reverse proxy, and an angular front end.

I debugged the keycloak.js adapter in the browser. I changed nginx config, mainly adding merge_slashes off; to my server.

I was not able to find anything meaningful until now. I entertained the idea of inspecting packages with Wireshark, but not went there yet.
At this moment, what I feel is that nginx is rewriting the Location header in the Response sent by Keycloak, but I did not find any indication that this could happen, and also does not seem to be a config in nginx which would control this behavior.

If you have any ideas how to move forward, I would appreciate it, I will debug this deeper in the next couple of days.