Unexpected redirect from localhost client with dev keycloak instance

We are currently setting up Keycloak as the new IDP. We have various environments with separate instances (dev, test, prod), but we also have our developers working on their local machines (local-dev).
The environments are working ok, but when we try to authenticate with the dev keycloak instance from our localhost (local-dev), we always get redirected to the dev-instance of the client rather than the localhost instance on the dev machine.

We have used other IDPs (e.g. Azure Active Directory) where this works ok, so we are wondering what we are doing wrong with keycloak or if it is supported at all?

Here is the setup and some examples:

  • dev webserver (reverse proxy) instance: devwebserver.somedomain.com
  • dev Keycloak instance: devidp.somedomain.com
  • Local dev machines, running angular client on: https://localhost:4200/someclient
    • for now we are using implicit flow
  • Realm: somerealm
  • Client: someclient

So the issuer url would look like:

  • https://devwebserver.somedomain.com/auth/realms/somerealm

What happens:

  1. We navigate to https://localhost:4200/someclient to our local instance of someclient
  2. Angular redirects us to https://devwebserver.somedomain.com/auth/realms/somerealm/protocol/openid-connect/auth?response_type=id_token&client_id=someclient&state=9q8zn9qxn89nBsudf79T897bt9807TB987tB9%3B%2F&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2Fsomeclient&scope=openid%20profile%20email&nonce=n79g8907BG897btb0897tOuBONIUN89HOUigokJGIOU9876kjhKLJkj
  3. We log in
  4. Keycloak redirects to https://devwebserver.somedomain.com/someclient instead of https://localhost:4200/someclient

Any idea how we could get the redirect to localhost to work with this setup?

We’d appreciate any hints

Ben

Hi Ben, did you crack this? I think I’m encountering a similar (the same?) problem, I have a vuejs app I’ve added as a client (http://127.0.0.1:3001), I have a reverse proxy setup in IIS (http://idp.mc.local) and then a docker container with keycloak running (http://127.0.0.1:8080), when I attempt to login, instead of being redirected back to the vuejs client I am just getting redirected to the reverse proxy with the state value in the url, as in the network logs in the screenshot below:

If I don’t set a front end url for the realm and bypass the proxy / hook my vuejs client to login via 127.0.0.1:8080 directly, it redirects to 127.0.0.1:3001/#state… correctly, as below:

I can’t spot any way to sort this issue, the redirect_uri is being ignored by keycloak and for some reason taking me back to the root of my proxy domain. If I actually manually visit http://127.0.0.1:3001/#state… with the state value copied in from the incorrect redirect, I log in successfully.

Baffling me.

Steve

Solved this one, it was an issue with IIS proxy setup rather than Keycloak - What was needed was to edit the settings for IIS Application Request Routing and uncheck the option:

1 Like

Great find. Thankyou so much!