Keycloak .well-known/openid-configuration is not responding with "https" protocol for the endpoints
Solution 1
I've been struggling with the same problem for days now and finally figured it out. The problem is that Keycloak uses the X-Forwarded-Proto
HTTP header when running behind a proxy to determine if the incoming request was made via HTTPS. Your load balancer (in my case AWS ELB) needs to set this header correctly (see similar issue).
When using ELB, you need to make sure that either:
- Your listener is set to
HTTPS
- Your listener is set to
TCP
and the receiving backend supports the Proxy Protocol
In my case, my listeners were set to TCP
but the backend was not configured accordingly. I found that NGINX and Kubernetes' NGINX Ingress Controller support this option.
Solution 2
From what I gather, it can be done (I have not used it personally) on the realm level. Though it is long process explaining which fully is beyond the scope of this answer. Instead, I am giving the link to a document.
https://www.keycloak.org/docs/3.3/server_installation/topics/network/https.html
Admin
Updated on June 22, 2022Comments
-
Admin almost 2 years
We have deployed Keycloak behind a load balancer which is F5. The OIDC clients are sitting in public network uses "https" for all communications. The SSL is terminated in F5 and the packets are forwarded to Keycloak (say on port 8080).
The OIDC client is designed in a such a way so as to use the endpoints (like/token
etc) that it receives in the response for the.well-known/openid-configuration
request.The problem here is that the
.well-known
config is responding with URLs with protocol ashttp
for all the endpoints where as client is expecting protocol withhttps
. Because of this client is not able to make secure connection to these URLs.Question is - how can we have responses for
.well-known/openid-configuration
request return with endpoints with protocolhttps
; like the one mentioned below{ "issuer":"https://<domain>/auth/realms/master", "authorization_endpoint":"https://<domain>/auth/realms/master/protocol/openid-connect/auth", "token_endpoint":"https://<domain>/auth/realms/master/protocol/openid-connect/token" ....... }
We have followed the steps mentioned in the documentation.
I.e in F5 added the
x-Forwarded-For
andx-Forwarded-Proto
and made the respective keycloak configuration changes as indicated in the documentation. Is there any configuration or setting I might be missing? -
Jason Foglia almost 2 yearsLink is broken.