Terminal OIDC Client, Keycloak and http redirects

Hi all

I have been spending some time trying to configure a command line OIDC client on linux and it creates a url in the form of https to the keycloak server, with a http redirect url.

I have keycloak realm set to ‘ssl external’ so localhost and local IP’s should be accepted with a http url,

I am getting an error in the local browser saying it cannot establish a secure connected for the url, but appears to right a https redirect in the browser.

If I remove the ‘s’ from https in the url, keycloak accepts it and returns the correct token.

I have checked for any local http to https redirects and don’t have any, so I wondered if it was a keycloak config error on my part?

My redirect url in keycloak for that client is http://127.0.0.1:*

Thanks in advance for any pointers as its taken a good few days to get this far :slight_smile:

Cheers

I should add using google as the oidc provider, it creates the same format url but the link is successful and returns a token.

Try using “http://localhost” as the redirect-uri for the client instead. “http://localhost” is a special redirect-uri within Keycloak that allows any port to be used.

Thanks @stianst for responding :slight_smile:

I have learnt something as I did not know that is a special redirect.

Unfortunately I am getting;

We’re sorry…

Invalid parameter: redirect_uri

Edit: I should add I have nothing entered in the base url etc, only ‘*’ for the moment in web origins.

Edit2: OIDC redirect url is as follows

redirect_uri=http%3A%2F%2F127.0.0.1%3A34347&response_type=code&scope=openid+email&state=jkykuijhkghjhjkhjgkhjgkhj

Edit3: This is the only redirect I can get to work, but it doesn’t like the https as I say above. Replacing the https with http it resolves and i get the token;

http://127.0.0.1:*

Shouldn’t 127.0.0.1 be seen as special by keycloak too?

127.0.0.1 should be special as well yes, and it is actually recommended to use 127… and not localhost. It’s not supported right now though. Can you open a JIRA for supporting it?

http://127.0.0.1:* - won’t work as Keycloak won’t replace the ‘’. We only support '’ in the context path, so http://127.0.0.1/*, but that’s obviously not what you’re after.

Yes I can add a JIRA if you could point me to where its located :slight_smile:

Not entirely following your next para, do you mean it won’t replace the colon?

I presume though if 127.0.0.1 is treated as special then my particular case here would work, is that correct? As I am only adding the colon as the port changes each time, but you said localhost is special and will allow any port…

Have i understood that correctly?

Edit1: Found the tracker will add. Please update if I have not understood the issue correctly :slight_smile:

JIRA created here -> https://issues.jboss.org/browse/KEYCLOAK-11699

Go easy its my first submission :slight_smile:

Do you have a proxy in front of keycloak? Is it passing the correct FORWARDED headers? (especially PROTO)
If keycloak is sending back an https://localhost redirect, that’s because it thought you were going to https://localhost.

Hi there,

Yes i do, i have an nginx proxy in front of keycloak.

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

I couldn’t find a best practice / working nginx proxy conf for keycloak, if such a thing exists?

The manual appears to be related to wildfly if I recall correctly.