TomEE App + Keycloak in K8's cluster

Hi All,

I’m trying to secure TomEE(Tomcat) web app originally running on port 80 (no SSL) and load balanced by Nginx Ingress Controller which provides SSL (integrated with Lets Encrypt) and serves requests on port 443 (SSL termination by Ingress Controller). The ingress configures https://my.web-app.com url.

When I’m setting “ssl-required”: “all” in the adapter keycloak.json - I’m getting 403 error page and can see the error in the app log:

ERROR [http-nio-8080-exec-9] org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode Adapter requires SSL. Request: http://my.web-app.com/?state=50292394-981e-4c17-a9dc-e19c92256d66&session_state=1af28e7c-7c99-442e-906f-4fe9b04b25e5&code=e9756952-addb-4ee1-8edd-e039339f49a5.1af28e7c-7c99-442e-906f-4fe9b04b25e5.c0e25ffa-7230-4714-a15a-5849431b4622

Note the https:// changed to http:// in the request (probably because Tomee serves requests using http not https, but I’m not sure)

Setting “ssl-required”: “external” makes it work - the secured page is loaded, despite that I still see the http:// in redirect_uri sent to keycloak by adapter.
Also, I had to change the ‘Valid Redirect URIs’ in the keycloak admin UI to http://, otherwise (when it was https://) it failed with ‘Invalid parameter: redirect_uri’ message.

Is it normal or I’m doing something wrong?

Thanks!