Keycloak .well-known/openid-configuration is not responding with "https" protocol for the endpoints

keycloak openid-connect
11,544

Solution 1

I've been struggling with the same problem for days now and finally figured it out. The problem is that Keycloak uses the X-Forwarded-Proto HTTP header when running behind a proxy to determine if the incoming request was made via HTTPS. Your load balancer (in my case AWS ELB) needs to set this header correctly (see similar issue).

When using ELB, you need to make sure that either:

  1. Your listener is set to HTTPS
  2. Your listener is set to TCP and the receiving backend supports the Proxy Protocol

In my case, my listeners were set to TCP but the backend was not configured accordingly. I found that NGINX and Kubernetes' NGINX Ingress Controller support this option.

Solution 2

From what I gather, it can be done (I have not used it personally) on the realm level. Though it is long process explaining which fully is beyond the scope of this answer. Instead, I am giving the link to a document.

https://www.keycloak.org/docs/3.3/server_installation/topics/network/https.html

Share:
11,544
Admin
Author by

Admin

Updated on June 22, 2022

Comments

  • Admin
    Admin almost 2 years

    We have deployed Keycloak behind a load balancer which is F5. The OIDC clients are sitting in public network uses "https" for all communications. The SSL is terminated in F5 and the packets are forwarded to Keycloak (say on port 8080).
    The OIDC client is designed in a such a way so as to use the endpoints (like /token etc) that it receives in the response for the .well-known/openid-configuration request.

    The problem here is that the .well-known config is responding with URLs with protocol as http for all the endpoints where as client is expecting protocol with https. Because of this client is not able to make secure connection to these URLs.

    Question is - how can we have responses for .well-known/openid-configuration request return with endpoints with protocol https ; like the one mentioned below

    {
  "issuer":"https://<domain>/auth/realms/master",
  "authorization_endpoint":"https://<domain>/auth/realms/master/protocol/openid-connect/auth",
  "token_endpoint":"https://<domain>/auth/realms/master/protocol/openid-connect/token"
  .......
}

    We have followed the steps mentioned in the documentation.

    I.e in F5 added the x-Forwarded-For and x-Forwarded-Proto and made the respective keycloak configuration changes as indicated in the documentation. Is there any configuration or setting I might be missing?

  • Jason Foglia
    Jason Foglia almost 2 years
    Link is broken.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Keycloak Access Token vs UserInfo token?
Keycloak, openId-connect userInfo
Refresh token with Keycloak
Keycloak: Get authorization code in JSON?
Keycloak User federation using existing MySQL database for users authentication
Login to Keycloak using API
How to specify refresh tokens lifespan in Keycloak
Keycloak Client Credentials Flow Clarification
Using OpenID/Keycloak with Superset
Keycloak Invalid token issuer