Succesful /auth redirects to /login-actions/authenticate and ignores redirect_uri

Getting advice
1

I’m trying to better understand the workflow of the standard authentication process.
I might have misunderstood the process, so for clarification this is what I’m currently doing based on different help-articles here and on openid:

Keycloak is running in a docker behind a reverse nginx proxy in order to get the Access-Control-Allow-Origin correct.
Frontend: 127.0.0.1
Reverse proxy: 127.0.0.1:8001 → Keycloak: 127.0.0.1:8080

When user visits http://127.0.0.1, a button makes them open ://127.0.0.1:8001/auth/realms/realm/protocol/openid-connect/auth?client_id=client_id_here&response_type=code&state=some_state&redirect_uri=http://127.0.0.1 in a new tab.

So far that works, it opens the keycloak login form for the realm.
The user logs in, but on a successful login they’re redirected to: http://127.0.0.1/auth/realms/realm/login-actions/authenticate?session_code=&execution=&client_id=&tab_id

It seams that the path .../login-actions/authenticate is hardcoded no matter what the redirect_uri is set to. Trying to set the redirect_uri to something different causes errors as expected due to the realm client configuration (see below).

The keycloak javascript API solves most of these things most probably.
But again, in order to better understand the flow and how this works in detail I’m trying to solve it using vanilla JavaScript. And to generate the /auth URL before calling /token I’m doing:

var auth_data = new URLSearchParams({
	client_id: this.client_id,
	response_type: 'code',
	state: this.#state,
	redirect_uri: "http://127.0.0.1/"
})
console.log(`http://${this.gateway}:${this.port}/auth/realms/${this.realm}/protocol/openid-connect/auth?${auth_data}`)

Any ideas where I’m going wrong here? I can’t imagine every application/website needs to hardcode /auth/realms/ourkvm/login-actions/authenticate and handle the callback on that specific endpoint, as that kind of defeats the purpose of redirect_uri existing in the URL. So, what am I missing? :slight_smile:

Here’s the nginx configuration for the reverse proxy if that helps to nudge me in the right direction:

server {
        listen       8001;
        server_name  localhost;
        add_header 'Access-Control-Allow-Origin' '*';

        location / {
            proxy_pass         http://127.0.0.1:8080/;
            proxy_redirect     off;

            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

            client_max_body_size       10m;
            client_body_buffer_size    128k;

            proxy_connect_timeout      90;
            proxy_send_timeout         90;
            proxy_read_timeout         90;

            proxy_buffer_size          4k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;
        }
}

Thank you in advance!

screenshot
screenshot880×993 56.3 KB

2

Appears as if keycloak doesn’t redirect to the port correctly for some reason.
Probably a configuration error on my part… So a bandaid is to hardcode nginx to redirect anything ~ ^/auth back to keycloak:

server {
    listen       80;
    server_name  localhost;

    add_header 'Access-Control-Allow-Origin' '*';

    #charset koi8-r;

    #access_log  logs/host.access.log  main;

    location ~ ^/auth {
        proxy_pass         http://127.0.0.1:8080;
        ...
    }

    location / {
        root   /srv/http;
        index  index.html index.htm;
    }
}