Terminal OIDC Client, Keycloak and http redirects

Getting advice
1

Hi all

I have been spending some time trying to configure a command line OIDC client on linux and it creates a url in the form of https to the keycloak server, with a http redirect url.

I have keycloak realm set to ‘ssl external’ so localhost and local IP’s should be accepted with a http url,

I am getting an error in the local browser saying it cannot establish a secure connected for the url, but appears to right a https redirect in the browser.

If I remove the ‘s’ from https in the url, keycloak accepts it and returns the correct token.

I have checked for any local http to https redirects and don’t have any, so I wondered if it was a keycloak config error on my part?

My redirect url in keycloak for that client is http://127.0.0.1:*

Thanks in advance for any pointers as its taken a good few days to get this far :slight_smile:

Cheers

I should add using google as the oidc provider, it creates the same format url but the link is successful and returns a token.

2

Try using “http://localhost” as the redirect-uri for the client instead. “http://localhost” is a special redirect-uri within Keycloak that allows any port to be used.

3

Thanks @stianst for responding :slight_smile:

I have learnt something as I did not know that is a special redirect.

Unfortunately I am getting;

We’re sorry…

Invalid parameter: redirect_uri

Edit: I should add I have nothing entered in the base url etc, only ‘*’ for the moment in web origins.

Edit2: OIDC redirect url is as follows

redirect_uri=http%3A%2F%2F127.0.0.1%3A34347&response_type=code&scope=openid+email&state=jkykuijhkghjhjkhjgkhjgkhj

Edit3: This is the only redirect I can get to work, but it doesn’t like the https as I say above. Replacing the https with http it resolves and i get the token;

http://127.0.0.1:*

Shouldn’t 127.0.0.1 be seen as special by keycloak too?

4

127.0.0.1 should be special as well yes, and it is actually recommended to use 127… and not localhost. It’s not supported right now though. Can you open a JIRA for supporting it?

http://127.0.0.1:* - won’t work as Keycloak won’t replace the ‘’. We only support '’ in the context path, so http://127.0.0.1/*, but that’s obviously not what you’re after.

5

Yes I can add a JIRA if you could point me to where its located :slight_smile:

Not entirely following your next para, do you mean it won’t replace the colon?

I presume though if 127.0.0.1 is treated as special then my particular case here would work, is that correct? As I am only adding the colon as the port changes each time, but you said localhost is special and will allow any port…

Have i understood that correctly?

Edit1: Found the tracker will add. Please update if I have not understood the issue correctly :slight_smile:

6

JIRA created here → https://issues.jboss.org/browse/KEYCLOAK-11699

Go easy its my first submission :slight_smile:

7

Do you have a proxy in front of keycloak? Is it passing the correct FORWARDED headers? (especially PROTO)
If keycloak is sending back an https://localhost redirect, that’s because it thought you were going to https://localhost.

8

Hi there,

Yes i do, i have an nginx proxy in front of keycloak.

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

I couldn’t find a best practice / working nginx proxy conf for keycloak, if such a thing exists?

The manual appears to be related to wildfly if I recall correctly.