Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14575

Keycloak Wildfly adapter creates redirect URI with Keycloak port as path if auth-server-url doesn't end with /

    Details

    • Steps to Reproduce:
      Hide
      1. Set up Keycloak client with OpenID connect and confidential access.
      2. Configure secure deployment for application using Keycloak Wildfly adapter and leave out the trailing '/' for the authentication server URL.
      3. Attempt to access a secured resource and check the URL that is attempted to be redirected to.
      Show
      Set up Keycloak client with OpenID connect and confidential access. Configure secure deployment for application using Keycloak Wildfly adapter and leave out the trailing '/' for the authentication server URL. Attempt to access a secured resource and check the URL that is attempted to be redirected to.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Using the Keycloak Wildfly adapter with a Wildfly server on localhost and the Keycloak server also on localhost but on a different port, I'm getting incorrect redirects to the Keycloak server where the Keycloak server's port is appended to the application's base path instead.

      The resource on Wildfly being accessed is http://localhost:7070/admin

      The Keycloak authentication URL is http://localhost:7071/auth

      The URL being redirected to for authentication by the adapter is http://localhost:7070/7071/auth/realms/test-realm/protocol/openid-connect/auth?response_type=code&client_id=test-client&redirect_uri=http%3A%2F%2Flocalhost%3A7070%2Fadmin&state=e95ed5d7-47ba-45e7-9c34-7b1c27557770&login=true&scope=openid

      The Keycloak Wildfly adapter's version is 10.0.2. The Wildfly server's version is 20.0.0.Final. The configuration for the secure deployment is as follows:

       

      <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
          <secure-deployment name="test-web.war">
              <realm>test-realm</realm>
              <resource>test-client</resource>
              <use-resource-role-mappings>true</use-resource-role-mappings>
              <auth-server-url>http://localhost:7071/auth</auth-server-url>
              <confidential-port>17443</confidential-port>
              <allow-any-hostname>true</allow-any-hostname>
              <credential name="secret">[redacted]</credential>
          </secure-deployment>
      </subsystem>
      

       

      The Keycloak server's version is 10.0.2. The client configuration is as follows:

      {
        "id": "48185330-2841-4c09-ab7c-bf06397ee8a4",
        "clientId": "test-client",
        "rootUrl": "",
        "baseUrl": "http://localhost:7070/",
        "surrogateAuthRequired": false,
        "enabled": true,
        "alwaysDisplayInConsole": false,
        "clientAuthenticatorType": "client-secret",
        "secret": "**********",
        "redirectUris": [
          "http://localhost:7070/admin/*",
          "https://localhost:7443/admin/*"
        ],
        "webOrigins": [
          "+"
        ],
        "notBefore": 0,
        "bearerOnly": false,
        "consentRequired": false,
        "standardFlowEnabled": true,
        "implicitFlowEnabled": false,
        "directAccessGrantsEnabled": true,
        "serviceAccountsEnabled": false,
        "publicClient": false,
        "frontchannelLogout": false,
        "protocol": "openid-connect",
        "attributes": {
          "saml.assertion.signature": "false",
          "saml.force.post.binding": "false",
          "saml.multivalued.roles": "false",
          "saml.encrypt": "false",
          "saml.server.signature": "false",
          "saml.server.signature.keyinfo.ext": "false",
          "exclude.session.state.from.auth.response": "false",
          "saml_force_name_id_format": "false",
          "saml.client.signature": "false",
          "tls.client.certificate.bound.access.tokens": "false",
          "saml.authnstatement": "false",
          "display.on.consent.screen": "false",
          "saml.onetimeuse.condition": "false"
        },
        "authenticationFlowBindingOverrides": {},
        "fullScopeAllowed": true,
        "nodeReRegistrationTimeout": -1,
        "defaultClientScopes": [
          "web-origins",
          "role_list",
          "profile",
          "roles",
          "email"
        ],
        "optionalClientScopes": [
          "address",
          "phone",
          "offline_access",
          "microprofile-jwt"
        ]
      }
      

       

      I've not seen this behaviour in earlier adapter versions but maybe it's not new and I just always added that trailing slash to the authentication URL. The only reason I found out was that I tried getting the client installation config from the Keycloak admin interface and noticed the difference in the auth URL. Maybe it's best to properly handle auth URLs without trailing slash to avoid user's not knowing why their redirect doesn't work.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  geerthermans1 Geert Hermans
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated: