Trouble with configuring client Valid Redirect URIs

Configuring the server
1

I am having trouble trying to figure out what the values should be for ‘Valid Redirect URIs’, ‘Base URL’, ‘Backchannel Logout URL’. I am using Keycloak 15.02 along with 10 Spring Boot applications, and 2 Realms. The suite of applications and Keycloak are deployed to our customer sites, and may have more than 2 realms in some cases.

In our dev environment we have two hosts (api.dev, and web.dev) that are running Keycloak, and client apps. Everything is running in Docker containers.

The client config for `Valid Redirect URIs’, and ‘Backchannel Logout URL’ currently include the host name web.dev. I’d like to be able to remove that host name to make the Realm configs portable between environments. Having to configure each client in each realm makes for a lot of repetitive and mistake-prone work.

But when I remove the hostname, I get the error: Invalid parameter: redirect_uri .

The redirect URL shown by Keyloak in the request parameters looks the same for both configurations so I dont really understand why its telling me that its invalid.

This works:
Valid Redirect URIs: http://web.dev.etisoftware.local/launchpad/*
Backchannel Logout URL: http://web.dev.etisoftware.local/launchpad/sso/logout

That configuration produces the redirect_uri value seen in the following request:

http://api.dev.etisoftware.local:8080
/auth/realms/OSS/protocol/openid-connect/auth
?response_type=code
&client_id=launchpad
&scope=openid%20profile%20email%20roles
&state=E-8VBZUc1CbsIUi5HdPG68pNK1IVNB8bzDT3Aengx9Q%3D
&redirect_uri=http://web.dev.etisoftware.local/launchpad/login/oauth2/code/OSS
&nonce=3OUMxVmrglSC0KK-WGWDjG4yB9TOuvqBO5TMnDk4R-A

But this does not:
Valid Redirect URIs: /launchpad/*
Backchannel Logout URL: /launchpad/sso/logout

That configuration produces the redirect_uri value seen in the following request:

http://api.dev.etisoftware.local:8080
/auth/realms/OSS/protocol/openid-connect/auth
?response_type=code
&client_id=launchpad
&scope=openid%20profile%20email%20roles
&state=cGh1zZ3et0ssogIsNclL2sHcrfDxNePaHf5UXxw0aR8%3D
&redirect_uri=http://web.dev.etisoftware.local/launchpad/login/oauth2/code/OSS
&nonce=Qm846RYZZnU3fG4Cj75e8lBejupf24VbV1WjDVW1NJA

As you can see the values for redirect_uri in the request parameters are same for both requests and client configurations so its unclear (to me) what Keycloak is trying to tell me.

I also happen to have Keycloak and the client apps running in a K3s cluster. For some reason on that environment I dont have to have the hostname in the Valid Redirect URIs and it works perfectly fine. Is it just a fluke?

2

Redirect URIs tooltip:

Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/'. Relative path can be specified too such as /my/relative/path/. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request

So if you want to use relative paths in the redirect URIs, then configure properly Root URL, not Base URL.