I have a dockerized keycloak container, running inside a vpn with an IIS reverse proxy which seems to be overwriting the login.microsoftonline.com/[tenantId]/.../authorize endpoint url with the proxy domain name when trying to login to microsoft through a Keycloak OIDC identity provider.
My setup as follows: Ubuntu Linux running docker+Keycloak:22.01 (Quarkus) running as production Windows Server 2019 running IIS Reverse Proxy with valid SSL certificates All under the same VPN
The reverse proxy: www.example_kcproxy.com points to example_private_ip:port As recommended by the Keycloak docs, I have the reverse proxy setting Forwarded-For, Forwarded-Port, Forwarded-Host, Forwarded-Proto headers to respective values (web.config):
<serverVariables>
<set name="HTTP_X_Forwarded_Proto" value="https" />
<set name="HTTP_X_Forwarded_For" value="{HTTP_X_Forwarded_For},{REMOTE_ADDR}"/>
<set name="HTTP_X_Forwarded_Host" value="{HTTP_HOST}" />
</serverVariables>
My docker-compose config (Keycloak environment section):
KEYCLOAK_PROXY_ADDRESS_FORWARDING: 1
KEYCLOAK_FRONTEND_URL: https://www.example_kcproxy.com/
KC_HOSTNAME_ADMIN_URL: https://www.example_kcproxy.com/
KC_HOSTNAME_STRICT: 1
KC_PROXY: edge
KC_HOSTNAME: www.example_kcproxy.com
KC_HOSTNAME_STRICT_HTTPS: 1
I've tried different settings and combinations of settings. this is just my final config that is stable and production ready.
So everything works perfectly fine through the reverse proxy. I can admin my way through the Keycloak front end, configure Identity Providers, clients, realms e.t.c
I've successfully setup an OIDC Identity Provider that brokers for Microsoft Azure AD login. I've tested this setup without a reverse proxy directly on the VPN and I can successfully login through Microsoft from the Keycloak admin.
Great, all good! however, when I introduce the reverse proxy, all keycloak admin related stuff works perfectly EXCEPT when I try login through the Microsoft IdP. The Microsoft Authorization Url ,e.g. login.microsoftonline.com/[tenantId]/.../authorize that Keycloak needs to use to redirect me to the Microsoft Login consent screen get's its base url replaced with www.example_kc_proxy.com. So then I get www.example_kcproxy.com/[tenantId]/.../authorize. Which is incorrect.... and this is my issue.
I'm almost certain the Keycloak is using the reverse proxy headers to construct this url which is interestig, because I have the correct url specified as the Authorization Url when setting up an Identtity Provider for the Keycloak realm. When I remove the X-Forwarded* headers, Keycloak still replaces the Microsoft login domain url but this time with example_private_ip:port, which is essentially the same issue, just the actual keycloak server IP.
I'm probably missing some config setting to ensure Keycloak does not overwrite the login.microsoftonline.com url for the authorize endpoint on microsoft.
So dunno, I'm stuck here lol. any help would be greatly appreciated, thanks!
