I have been spending some time trying to configure a command line OIDC client on linux and it creates a url in the form of https to the keycloak server, with a http redirect url.
I have keycloak realm set to ‘ssl external’ so localhost and local IP’s should be accepted with a http url,
I am getting an error in the local browser saying it cannot establish a secure connected for the url, but appears to right a https redirect in the browser.
If I remove the ‘s’ from https in the url, keycloak accepts it and returns the correct token.
I have checked for any local http to https redirects and don’t have any, so I wondered if it was a keycloak config error on my part?
My redirect url in keycloak for that client is http://127.0.0.1:*
Thanks in advance for any pointers as its taken a good few days to get this far
Cheers
I should add using google as the oidc provider, it creates the same format url but the link is successful and returns a token.
Try using “http://localhost” as the redirect-uri for the client instead. “http://localhost” is a special redirect-uri within Keycloak that allows any port to be used.
Edit3: This is the only redirect I can get to work, but it doesn’t like the https as I say above. Replacing the https with http it resolves and i get the token;
127.0.0.1 should be special as well yes, and it is actually recommended to use 127… and not localhost. It’s not supported right now though. Can you open a JIRA for supporting it?
http://127.0.0.1:* - won’t work as Keycloak won’t replace the ‘’. We only support '’ in the context path, so http://127.0.0.1/*, but that’s obviously not what you’re after.
Yes I can add a JIRA if you could point me to where its located
Not entirely following your next para, do you mean it won’t replace the colon?
I presume though if 127.0.0.1 is treated as special then my particular case here would work, is that correct? As I am only adding the colon as the port changes each time, but you said localhost is special and will allow any port…
Have i understood that correctly?
Edit1: Found the tracker will add. Please update if I have not understood the issue correctly
Do you have a proxy in front of keycloak? Is it passing the correct FORWARDED headers? (especially PROTO)
If keycloak is sending back an https://localhost redirect, that’s because it thought you were going to https://localhost.