Describe the bug
Following (https://github.com/keycloak/keycloak/issues/10817), I've updated keycloak the newest version (18), and I'm still running in to some issues.
As described, the current proxy setting is edge
First issues is that when the server is first spawn up, we get a redirect_uri error:
LOGS:
DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-11) Recalculated absoluteURI to http://something.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fsomething.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=fbd3f10a-d929-4af8-a4ce-e3ef06c1b89e&response_mode=fragment&response_type=code&scope=openid&nonce=ea937eae-bcc6-4bf3-aae3-0a4b3742c9d7&code_challenge=pNq3qur9_XOZfrTirOaHRMxCx8pdGL-yeFjAKbLLiHA&code_challenge_method=S256
DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-11) replacing relative valid redirect with: http://something.com/auth/admin/master/console/*
WARN [org.keycloak.events] (executor-thread-11) type=LOGIN_ERROR, realmId=a1634d31-f503-4b6b-9ce9-522e84855fc7, clientId=security-admin-console, userId=null, ipAddress=40.41.43.44, error=invalid_redirect_uri, redirect_uri=https://something.com/auth/admin/master/console/
Here we can see that calls are reaching the keycloak server as http, so I'm guessing that nginx ingress is forwarding the headers correctly, however its expected that the server knows that its being redirected from an https origin and should allow for access as such. This does not happen as we get the aforementioned redirect_uri error.
To fix this, we need to add the absoluteURI to the redirect_uris of the security-admin-console client using kcadm:
./kcadm.sh update clients/ -s 'redirectUris=["https://something.com/auth/*"]' --no-config --server http://localhost:8080/auth --realm master --user admin --password admin
We can now enter the password and the user to get access to the admin console, but some requests are generated with the wrong scheme:
If we copy the request as cURL we get the following:
curl 'http://something.com/auth/admin/realms' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0' -H 'Accept: application/json, text/plain, /' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: Bearer <TOKEN>' -H 'Origin: https://something.com'
As we can see the address is generated with HTTP, at this point the browser identifies this as a possible risk and flags the requests as MIXED BLOCK. I'm not able to get any logs from this as the browser doesn't even try to reach the server. However if we take this and change to HTTPS and run the cURL command its is successful.
There are however some requests that are generated correctly:
So my guess is that something in the client-sided application is generating the urls incorrectly.
Is this a known bug or is it some miss configuration on my side?
My current setup is as follows:
KEYCLOAK 18 (quarkus):
KC_PROXY=EDGE
KC_HOSTNAME=something.com
KC_PORT = 8080
KC_HTTP_RELATIVE_PATH=/auth
Cloud Provicer is AWS
Running on Kubernentes (EKS)
INGRESS-CONTROLLER = nginx
Ingress variables:
host: something.com
path: /
port: 8080
Version
18
Expected behavior
Not getting redirect_url error and being able to access the admin console.
Actual behavior
Getting redirect_url on a fresh instance and not being able to access the admin console.
How to Reproduce?
Spawn a new keycloak instance in kubernetes with KC_PROXY=edge and with an nginx ingress. Then just access the browser on the defined url.
Anything else?
https://github.com/keycloak/keycloak/issues/10817
https://github.com/keycloak/keycloak/issues/11667
https://keycloak.discourse.group/t/mixed-block-error-on-api-request-on-the-admin-console/15178
kind/bug area/dist/quarkus status/triage