keycloak Invalid parameter redirect uri

Question

When I am trying to hit from my api to authenticate user from keycloak  but its giving me error Invalid parameter  redirect uri on keycloak page  I have created my own realm apart from master  keycloak is running on http  Please help me

User · Answer

Log in the Keycloak admin console website, select the realm and its client, then make sure all URIs of the client are prefixed with the protocol, that is, with http:// for example. An example would be http://localhost:8082/*

Another way to solve the issue, is to view the Keycloak server console output, locate the line stating the request was refused, copy from it the redirect_uri displayed value and paste it in the * Valid Redirect URIs field of the client in the Keycloak admin console website. The requested URI is then one of the acceptables.

User · Answer

Your redirect URI in your code keycloak init  should be the same as the redirect URI set on Keycloak server  client -  Valid Uri

User · Answer

This error is also thrown when your User does not have the expected Role delegated in User definition Set role for the Realm in drop down

User · Answer

Check that the value of the redirect uri parameter is whitelisted for the client that you are using  You can manage the configuration of the client via the admin console  The redirect uri should match exactly with one of the whitelisted redirect uri s  or you can use a wildcard at the end of the uri you want to whitelist  See  https   www keycloak org docs latest server admin   clients Note that using wildcards to whitelist redirect uri s is allowed by Keycloak  but is actually a violation of the OpenId Connect specification  See the discussion on this at https   lists jboss org pipermail keycloak-dev 2018-December 011440 html

User · Answer

If you are a  Net Devloper Please Check below  Configurations  keycloakAuthentication options class set CallbackPath   RedirectUri   this Property needs to be set other wise it will show invalid redirecturi error  I faced the same error  In my case  the issue was with  Valid Redirect URIs was not correct  So these are the steps I followed    First login to keycloack as an admin user   Then Select your realm maybe you will auto-direct to the realm   Then you will see below screen    Select Clients from left panel   Then select relevant client which you configured for your app  By default  you will be Setting tab  if not select it  My app was running on port 3000  so my correct setting is like below  let say you have an app runs on localhost 3000  so your setting should be like this

User · Answer

What worked for me was adding wildchar      Although for production builds  I am going to be more specific with the value of this field  But for dev purposes you can do this     Setting available under  keycloak admin console -  Realm Name -  Cients -  Client Name   EDIT  DO NOT DO THIS IN PRODUCTION  Doing so creates a large security flaw

User · Answer

Go to keycloak admin console   SpringBootKeycloak  Cients login-app page  Here in valid-redirect uris section add http   localhost 8080 sso login  This will help resolve indirect-uri problem

User · Answer

I faced the Invalid parameter  redirect uri problem problem while following spring boot and keycloak example available at http   www baeldung com spring-boot-keycloak  when adding the client from the keycloak server we have to provide the redirect URI for that client so that keycloak server can perform the redirection  When I faced the same error multiple times  I followed copying correct URL from keycloak server console and provided in the valid Redirect URIs space and it worked fine

User · Answer

It seems that this problem can occur if you put whitespace in your Realm name  I had name set to Debugging Realm and I got this error  When I changed to DebuggingRealm it worked  You can still have whitespace in the display name  Odd that keycloak doesn t check for this on admin input

User · Answer

You need to check the keycloak admin console for fronted configuration  It must be wrongly configured for redirect url and web origins

User · Answer

I faced the same issue  I rectified it by going to the particular client under the realm respectively therein redirect URL add   after your complete URL

User · Answer

Looking at the exact rewrite was key for me   the wellKnownUrl lookup was returning  quot http   127 0 01 7070  quot  and I had specified  quot http   localhost 7070 quot   -

User · Answer

even I faced the same issue  I rectified it by going to the particular client under the realm respectively therein redirect URL add   after your complete URL    THE PROBLEM WILL BE SOLVED  Example       redirect URI  http localhost 3000 myapp generator

User · Answer

If you re getting this error because of a new realm you created  In the URL that you are redirected to  you may have to look in Chrome dev tools for this URL   change the realm from master to the one you just created  and if you are not using https  then make sure the redirect uri is also using http   If you re getting this error because you re trying to setup Keycloak on a public facing domain  not localhost   Step 1   Follow this documentation to setup a MySql database  You may also need to refer to the official documentation   Step 2  Run the command update REALM set ssl required    NONE  where id    master    Note  At this point  you should technically be able to login  but version 4 0 of Keycloak is using https for the redirect uri even though we just turned off https support  Until Keycloak fixes this  we can get around this with a reverse proxy  A reverse proxy is something we will want to use anyhow to easily create SSL TLS certificates without having to worry about Java keystores   Note 2  Keycloak has since come out with their own proxy  I haven t tried this yet  but at this point  you might want to stop following my directions and check out  keycloak gatekeeper  https   www keycloak org downloads html   If you have trouble setting up the Keycloak Gatekeeper  I ll keep my instructions around for setting up a reverse proxy with Apache   Step 3  Install Apache  We will use Apache as a reverse proxy  I tried NGINX  but NGINX had some limitations that got in the way   See yum installing Apache  CentOs 7   and apt-get install Apache  Ubuntu 16   or find instructions for your specific distro   Step 4  Run Apache   Use sudo systemctl start httpd  CentOs  or sudo systemctl start apache2  Ubuntu  Use sudo systemctl status httpd  CentOs  or sudo systemctl status apache2  Ubuntu  to check if Apache is running  If you see in green text the words active  running  or if the last entry reads Started The Apache HTTP Server  then you re good    Step 5  We will establish a SSL connection with the reverse proxy  and then the reverse proxy will communicate to keyCloak over http  Because this http communication is happening on the same machine  you re still secure  We can use Certbot to setup auto-renewing certificates    If this type of encryption is not good enough  and your security policy requires end-to-end encryption  you will have to figure out how to setup SSL through WildFly  instead of using a reverse proxy   Note  I was never actually able to get https to work properly with the admin portal  Perhaps this may have just been a bug in the beta version of Keycloak 4 0 that I m using  You re suppose to be able to set the SSL level to only require it for external requests  but this did not seem to work  which is why we set https to none in step  2  From here on we will continue to use http over an SSH tunnel to manage the admin settings   Step 6   Whenever you try to visit the site via https  you will trigger an HSTS policy which will auto-force http requests to redirect to https  Follow these instructions to clear the HSTS rule from Chrome  and then for the time being  do not visit the https version of the site again   Step 7  Configure Apache  First find where your httpd conf file is located  Your httpd conf file is probably including config files from a separate directory  In my case  I found all of my config file in a conf d directory located adjacent to the folder the httpd conf file was in   Once you find your conf files  change out  or add the following  virtual host entries in your conf files  Make sure you don t override the already present SSL options that where generated by certbot  When done  your config file should look something like this    lt VirtualHost   80 gt      RewriteEngine on       change https redirect uri parameters to http     RewriteCond   request uri     query string       redirect uri https          RewriteRule    1redirect uri http 2  NE R 302        uncomment to force https      does not currently work      RewriteRule   https     SERVER NAME   REQUEST URI        forward the requests on to keycloak     ProxyPreserveHost On         ProxyPass   http   127 0 0 1 8080      ProxyPassReverse   http   127 0 0 1 8080   lt  VirtualHost gt    lt IfModule mod ssl c gt   lt VirtualHost   443 gt      RewriteEngine on       Disable HSTS     Header set Strict-Transport-Security  max-age 0  includeSubDomains   env HTTPS        change https redirect uri parameters to http     RewriteCond   request uri     query string       redirect uri https          RewriteRule    1redirect uri http 2  NE R 302        forward the requests on to keycloak     ProxyPreserveHost On     ProxyPass   http   127 0 0 1 8080      ProxyPassReverse   http   127 0 0 1 8080        Leave the items added by certbot alone      There should be a ServerName option      And a bunch of options to configure the location of the SSL cert files      Along with an option to include an additional config file   lt  VirtualHost gt   lt  IfModule gt    Step 8  Restart Apache  Use sudo systemctl restart httpd  CentOs  or sudo systemctl restart apache2  Ubuntu    Step 9  Before you have a chance to try to login to the server  since we told Keycloak to use http  we need to setup another method of connecting securely  This can be done by either installing a VPN service on the keycloak server  or by using SOCKS  I used a SOCKS proxy  In order to do this  you ll first need to setup dynamic port forwarding    ssh -N -D 9905 user example com  Or set it up via Putty   All traffic sent to port 9905 will now be securely routed through an SSH tunnel to your server  Make sure you whitelist port 9905 on your server s firewall   Once you have dynamic port forwarding setup  you will need to setup your browser to use a SOCKS proxy on port 9905  Instructions here   Step 10  You should now be able to login to the Keycloak admin portal  To connect to the website go to http   127 0 0 1  and the SOCKS proxy will take you to the admin console  Make sure you turn off the SOCKS proxy when you re done as it does utilize your server s resources  and will result in a slower internet speed for you if kept on   Step 11  Don t ask me how long it took me to figure all of this out

User · Answer

If you are using the Authorization Code Flow then the response type query param must be equal to code  See https   www keycloak org docs 3 3 server admin topics sso-protocols oidc html

User · Answer

If you re trying to redirect to the keycloak login page after logout  as I was   that is not allowed by default but also needs to be configured in the  Valid Redirect URIs  setting in the admin console of your client

User · Answer

For me  I had a missing trailing slash   in the value for Valid Redirect URIs

User · Answer

If you re seeing this problem after you ve made a modification to the Keycloak context path  you ll need to make an additional change to a redirect url setting    Change  lt web-context gt yourchange auth lt  web-context gt  back to  lt web-context gt auth lt  web-context gt  in standalone xml  Restart Keycloak and navigate to the login page   auth admin   Log in and select the  Master  realm  Select  Clients  from the side menu  Select the  security-admin-console  client from the list that appears  Change the  Valid Redirect URIs  from  auth admin master console   to  yourchange auth admin master console    Save and sign out   You ll again see the  Invalid redirect url  message after signing out   Now  put in your original change  lt web-context gt yourchange auth lt  web-context gt  in standalone xml Restart Keycloak and navigate to the login page  which is now  yourchange auth admin   Log in and enjoy

[keycloak] keycloak Invalid parameter: redirect_uri

Examples related to keycloak