We are currently setting up Keycloak as the new IDP. We have various environments with separate instances (dev, test, prod), but we also have our developers working on their local machines (local-dev).
The environments are working ok, but when we try to authenticate with the dev keycloak instance from our localhost (local-dev), we always get redirected to the dev-instance of the client rather than the localhost instance on the dev machine.
We have used other IDPs (e.g. Azure Active Directory) where this works ok, so we are wondering what we are doing wrong with keycloak or if it is supported at all?
Here is the setup and some examples:
- dev webserver (reverse proxy) instance:
devwebserver.somedomain.com
- rewrites requests to /auth to the devidp.somedomain.com/auth using IIS rewrite
- X-Forwarded-For gets set
- ssl offloading
- dev Keycloak instance:
devidp.somedomain.com
- Local dev machines, running angular client on:
https://localhost:4200/someclient
- for now we are using implicit flow
- Realm:
somerealm
- Client:
someclient
- https://localhost:4200/* is set as valid redirect uri on dev keycloak
So the issuer url would look like:
https://devwebserver.somedomain.com/auth/realms/somerealm
What happens:
- We navigate to
https://localhost:4200/someclient
to our local instance ofsomeclient
- Angular redirects us to
https://devwebserver.somedomain.com/auth/realms/somerealm/protocol/openid-connect/auth?response_type=id_token&client_id=someclient&state=9q8zn9qxn89nBsudf79T897bt9807TB987tB9%3B%2F&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2Fsomeclient&scope=openid%20profile%20email&nonce=n79g8907BG897btb0897tOuBONIUN89HOUigokJGIOU9876kjhKLJkj
- We log in
- Keycloak redirects to
https://devwebserver.somedomain.com/someclient
instead ofhttps://localhost:4200/someclient
Any idea how we could get the redirect to localhost to work with this setup?
We’d appreciate any hints
Ben