0

I am trying to authenticate in a keycloak server however the redirect_uri doesnt come with the context (/admin/).

Nginx is producing a wrong URI redirect_uri: hxxps://***.pt/auth/realms/example/protocol/openid-connect/auth?response_type=code&client_id=appmovel&redirect_uri=http%3A%2F%2Fnewservice%2F&state=... Since there is no /admin/ on the URL resulting in a callback fail.

nginx config file:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# HTTPS server
server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      cert.pem;
    ssl_certificate_key  cert.key;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /api {
        absolute_redirect off;
        proxy_pass http://web-service:8080/api;
    }

    location /admin/ {
        proxy_set_header Host $host;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://web-service:8080/;
    }
}

How and where should i configure to keep/add the context (/admin) in the redirect_uri ? Can be done by an nginx rewrite rule ?

Winter
  • 131
  • 1
  • 5
  • The redirect most probably comes from your keycloak server, not from nginx. Configure the proper baseurl in your keycloak. – Gerald Schneider Jan 19 '22 at 10:57
  • https://www.keycloak.org/docs/latest/server_installation/index.html#default-provider – Gerald Schneider Jan 19 '22 at 11:09
  • keycloak is working good (its an old instalation that other applications are using without a problem) the problem is on tomcat servlet that is published in ROOT and mapped by nginx in /admin so when it try to authenticate in keycloak, Nginx/tomcat sends a wrong callback address to keycloak since nginx only rewrite the host and do not add the /admin context. – Winter Jan 19 '22 at 11:09
  • The problem needs still to be fixed in the application, so that it sends proper URLs in its responses. – Tero Kilkanen Jan 19 '22 at 23:27

0 Answers0