Keycloak Redirect URI is adding port zero to the url

Question

Encountered redirect_uri error in keycloak. Found same issue logged at JIRA KEYCLOAK-7237, just want to check any work around? Anyone can help? Thank you in advance.

2018-06-30 11:34:13,996 WARN [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=Victz, clientId=portal, userId=null, ipAddress=, error=invalid_redirect_uri, redirect_uri=https://www.example.com:0/home

I am using apache http reverse proxy running on centos7, wildly 10, keycloak 3.4.3. has also tried in below environment but same error.

Tried in wildly 10, wildly 11, jboss 7.1, Keycloak 3.4.3 as well as keycloak 4.0

Also tried shutdown apache http and access directly to http://www.example.org:8080/home , but seems return_uri automatically been converted to https with port 0.

Please see below standalone.xml, tried removed below proxy-peer and request-dumper config but no luck.

    <subsystem xmlns="urn:jboss:domain:undertow:4.0">
        <buffer-cache name="default"/>
        <server name="default-server">
            <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" enable-http2="true"/>
            <https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
            <host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                <location name="/drive" handler="drive"/>
                <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{i,Referer}&quot; &quot;%{i,User-Agent}&quot; &quot;%{i,COOKIE}&quot; &quot;%{o,SET-COOKIE}&quot; %S &quot;%I %T&quot;" prefix="access."/>
                <filter-ref name="server-header"/>
                <filter-ref name="x-powered-by-header"/>
                <http-invoker security-realm="ApplicationRealm"/>
            </host>
            <host name="example1" alias="example.com1,www.example.com1" default-web-module=“example1-0.1.war">
                <location name="/drive" handler="drive”/>
                <filter-ref name="proxy-peer"/>
                <filter-ref name="request-dumper" priority="30"/>
            </host>
            <host name="example2" alias="example.com2,www.example.com2" default-web-module="example2-0.1.war">
                <location name="/drive" handler="drive"/>
                <filter-ref name="proxy-peer"/>
                <filter-ref name="request-dumper" priority="30"/>
            </host>
            <host name="example3" alias="example.com3,www.example.com3" default-web-module="example3-0.1.war">
                <location name="/drive" handler="drive"/>
                <filter-ref name="proxy-peer"/>
                <filter-ref name="request-dumper" priority="30"/>
            </host>

        </server>
        <servlet-container name="default">
            <jsp-config/>
            <websockets/>
        </servlet-container>
        <handlers>
            <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            <file name="drive" path="/app/drive"/>
        </handlers>
        <filters>
            <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
            <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
            <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core"/>
            <filter name="request-dumper" class-name="io.undertow.server.handlers.RequestDumpingHandler" module="io.undertow.core"/>
        </filters>
    </subsystem>

Answer 1

语境

当在反向代理后面使用 Keycloak 的Spring Boot 客户端适配器时，由于配置不完整或错误，OAuthRequestAuthenticator.javaredirect_uri设置的URL 查询参数可能包含端口后缀。:0

基本问题

为了构建redirect_uri，Spring Boot 应用程序需要猜测其公共 URL，至少包括协议和主机名，还可能包括 IP 端口。在反向代理后面，这需要与代理合作和/或显式配置。

解释：0

如果:0存在，可能是由OAuthRequestAuthenticator.java设置的（这种松散的处理可能被认为是一个错误，但在本例中源于不完整的配置。）：Keycloak 识别出 Spring Boot 应用程序正在谈论 HTTPS，但它发现没有 HTTPS端口配置，因此默认为零。

解决步骤

假如说：

• 这是关于 Spring Boot 应用程序
• 在反向代理后面运行
• 充当 Keycloak 客户端

您需要确保以下事项来解决问题：

1. 配置反向代理以添加以下标头
   • x-forwarded-for告诉主机名
   • x-forwarded-proto判断连接是否安全
2. 配置 Spring Boot 应用程序以正确运行
   • 只需阅读当前关于在代理服务器后面运行的 Spring Boot “操作方法”指南（一个简洁的屏幕页面）
3. 配置Keycloak的Spring Boot适配器
   • 也许你需要明确confidential-port设置443

故障排除/交叉检查

只有一点：假设这是关于反向代理后面的 Spring Boot 应用程序，您应该能够使用tcpdump或类似的方法来监视未加密的流量（如-i lo -s0 -A）并查看 HTTP 标头。发送到 Spring Boot 应用程序的任何请求都应包含上述 Spring Boot Security How-to 所需的标头（x-forwarded-for和x-forwarded-proto），否则，代理配置错误。

Answer 2

我遇到了同样的问题。我的 Spring Boot 应用程序位于 nginx 后面。我更新了 nginx 以传递 x-forwarded 标头，并更新了 spring boot 配置

春季启动 yaml 配置：

server:
  use-forward-headers: true    

keycloak:
  realm: myrealm
  public-client: true
  resource: myclient
  auth-server-url: https://sso.example.com:443/auth
  ssl-required: external
  confidential-port: 443

nginx 配置：

upstream app {
   server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
   server 1.2.3.5:8042 max_fails=1 fail_timeout=60s;
}

server {
    listen 443;
    server_name www.example.com;

    ...

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        X-Forwarded-Host $host;
        proxy_set_header        X-Forwarded-Port   443;

        proxy_next_upstream     error timeout invalid_header http_500;
        proxy_connect_timeout   2;

        proxy_pass          http://app;
    }
}

使它对我有用的具体更改是添加keycloak.confidential-port. 一旦我添加它不再在redirect_uri中添加端口0。

希望有帮助。