I am running Keycloak on an OpenShift project, and I have 4 pods running:
keycloak (v8.0.1 configured to listen on 8443 with TLS),
keycloakdb (PostgreSQL DB),
proxy (Apache 2.4 reverse proxy), and
portal (our app that we developed to handle connecting to other applications).
The keycloak pod also contains two jar files that we “borrowed” that implements PKI authentication as part of the log on.
The routes configured in OpenShift are
apache: tcp/443 to tcp/8443 on the apache pod
keycloak: tcp/443 to tcp/8443 on the keycloak pod, and
Current state:
A connection to https://proxy.domain.com is redirected to https://keycloak.domain.com for authentication
https://keycloak/domain.com which requests my certificate for a 2-way TLS authentication
then redirected to https://keycloak.domain.com/auth/auth?response_type=code&scope=openid&client=potal&state=&redirect_uri=https://proxy.domain.com/redirect_uri&nonce=
The browser displays a page which give details of my certificate and my user account name with a button to continue
Clicking the continue button, POSTs to https://keycloak.domain.com
The browser is then redirected to https://proxy.domain.com:8443
Since there is no route to https://proxy.domain.com:8443 the connection times out.
The question is how do I get keycloak to redirect the browser to https://proxy.domain.com on tcp/443?
2
Answers
For redirecting to particular URL after authentication, you can use URL redirection setting in client settings.
The problem is the
redirect_uri
in the authentication request. It points toproxy.domain.com
instead to the portal.The
redirect_uri
is set by the OAuth 2.0 client code in the portal. Probably, the portal software thinks its own URL starts withproxy.domain.com
.So investigate and fix the OAuth 2.0 code in the portal (probably just a configuration issue).