5

We have deployed Keycloak behind a load balancer which is F5. The OIDC clients are sitting in public network uses "https" for all communications. The SSL is terminated in F5 and the packets are forwarded to Keycloak (say on port 8080).
The OIDC client is designed in a such a way so as to use the endpoints (like /token etc) that it receives in the response for the .well-known/openid-configuration request.

The problem here is that the .well-known config is responding with URLs with protocol as http for all the endpoints where as client is expecting protocol with https. Because of this client is not able to make secure connection to these URLs.

Question is - how can we have responses for .well-known/openid-configuration request return with endpoints with protocol https ; like the one mentioned below

{
  "issuer":"https://<domain>/auth/realms/master",
  "authorization_endpoint":"https://<domain>/auth/realms/master/protocol/openid-connect/auth",
  "token_endpoint":"https://<domain>/auth/realms/master/protocol/openid-connect/token"
  .......
}

We have followed the steps mentioned in the documentation.

I.e in F5 added the x-Forwarded-For and x-Forwarded-Proto and made the respective keycloak configuration changes as indicated in the documentation. Is there any configuration or setting I might be missing?

Jules Dupont
  • 7,259
  • 7
  • 39
  • 39
Arun Velayudhan
  • 51
  • 1
  • 1
  • 3

2 Answers2

4

I've been struggling with the same problem for days now and finally figured it out. The problem is that Keycloak uses the X-Forwarded-Proto HTTP header when running behind a proxy to determine if the incoming request was made via HTTPS. Your load balancer (in my case AWS ELB) needs to set this header correctly (see similar issue).

When using ELB, you need to make sure that either:

  1. Your listener is set to HTTPS
  2. Your listener is set to TCP and the receiving backend supports the Proxy Protocol

In my case, my listeners were set to TCP but the backend was not configured accordingly. I found that NGINX and Kubernetes' NGINX Ingress Controller support this option.

Marco Lamina
  • 3,326
  • 4
  • 22
  • 22
3

From what I gather, it can be done (I have not used it personally) on the realm level. Though it is long process explaining which fully is beyond the scope of this answer. Instead, I am giving the link to a document.

https://www.keycloak.org/docs/18.0/server_installation/#_clustering

Falchio
  • 174
  • 1
  • 14
UchihaItachi
  • 2,602
  • 14
  • 21