Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12321

Sites behind SSL reverse proxies set incorrect forwarding uri on auth requests

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Rejected
    • Affects Version/s: 8.0.0
    • Fix Version/s: None
    • Component/s: Adapter - Node.js
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      1. set up a client under a realm such that its allowed redirect urls are all using the https: scheme.
      2. Run any example nodejs app that uses keycloak.protect to protect a url using the client configuration for the realm from step 1 (should serve from http only, for example, http://localhost:8080)
      3. Set up an http reverse proxy pointing at that application with a valid SSL configuration (for example, listening on https://localhost, forwarding requests to http://localhost:8080)
      4. Point your browser at the protected URL via the reverse proxy over https (e.g. https://localhost)
      5. Observe that keycloak-connect causes your browser to redirect to your keycloak server correctly, but instead of the login page, you'll see an error reading "invalid parameter redirect_uri"
      Show
      set up a client under a realm such that its allowed redirect urls are all using the https: scheme. Run any example nodejs app that uses keycloak.protect to protect a url using the client configuration for the realm from step 1 (should serve from http only, for example, http://localhost:8080 ) Set up an http reverse proxy pointing at that application with a valid SSL configuration (for example, listening on https://localhost , forwarding requests to http://localhost:8080 ) Point your browser at the protected URL via the reverse proxy over https (e.g. https://localhost ) Observe that keycloak-connect causes your browser to redirect to your keycloak server correctly, but instead of the login page, you'll see an error reading "invalid parameter redirect_uri"
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      It's a very common pattern to secure your nodejs app by setting up a reverse proxy that handles the https connection to the user, but communicates with your nodejs app via an unencrypted http connection.

      Unfortunately, keycloak-connect breaks in this case. When protecting a page resource using the keycloak.protect() function, the keycloak-connect library redirects unauthenticated users to keycloak, setting the redirect_uri querystring value to a URL with a scheme of http, not https.

      This is because the uri scheme for the redirect url is determined by the protocol used in the incoming request, which in the case of a reverse proxy usually doesn't match the url scheme that the user is seeing in their browser.

      Fortunately there is already an open pull request that fixes this issue. It references KEYCLOAK-5954, which was closed due to lack of response from the reporter.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                benjamincburns Benjamin Burns
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: