I’m trying to better understand the workflow of the standard authentication process.
I might have misunderstood the process, so for clarification this is what I’m currently doing based on different help-articles here and on openid:
Keycloak is running in a docker behind a reverse nginx proxy in order to get the Access-Control-Allow-Origin
correct.
Frontend: 127.0.0.1
Reverse proxy: 127.0.0.1:8001 → Keycloak: 127.0.0.1:8080
When user visits http://127.0.0.1, a button makes them open ://127.0.0.1:8001/auth/realms/realm/protocol/openid-connect/auth?client_id=client_id_here&response_type=code&state=some_state&redirect_uri=http://127.0.0.1 in a new tab.
So far that works, it opens the keycloak login form for the realm.
The user logs in, but on a successful login they’re redirected to: http://127.0.0.1/auth/realms/realm/login-actions/authenticate?session_code=&execution=&client_id=&tab_id
It seams that the path .../login-actions/authenticate
is hardcoded no matter what the redirect_uri
is set to. Trying to set the redirect_uri
to something different causes errors as expected due to the realm client configuration (see below).
The keycloak javascript API solves most of these things most probably.
But again, in order to better understand the flow and how this works in detail I’m trying to solve it using vanilla JavaScript. And to generate the /auth
URL before calling /token
I’m doing:
var auth_data = new URLSearchParams({
client_id: this.client_id,
response_type: 'code',
state: this.#state,
redirect_uri: "http://127.0.0.1/"
})
console.log(`http://${this.gateway}:${this.port}/auth/realms/${this.realm}/protocol/openid-connect/auth?${auth_data}`)
Any ideas where I’m going wrong here? I can’t imagine every application/website needs to hardcode /auth/realms/ourkvm/login-actions/authenticate
and handle the callback on that specific endpoint, as that kind of defeats the purpose of redirect_uri
existing in the URL. So, what am I missing?
Here’s the nginx configuration for the reverse proxy if that helps to nudge me in the right direction:
server {
listen 8001;
server_name localhost;
add_header 'Access-Control-Allow-Origin' '*';
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
Thank you in advance!