Keycloak returns 'Invalid parameter: redirect_uri'

Question

[Edit-1] Add scope in oauth2 configuration, add grafana service, remove oauth-keycloak-signin. The configurations is referred from this link

[UPDATE] I am able to log in at Keycloak page but it couldn't route me to the Grafana service. Looked at the OAuth2 logs, something weird, the access token that generated by Keycloak was validated of Github, not for Keycloak :))) -> This was caused by missing oauth validate_url config.

Solution:

- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185/oauth2/auth'

Log of OAuth2 Proxy

paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | 123.28.110.207 - 411d7575-fb97-42ca-87ed-d57cad683b31 - - [2021/09/30 02:04:53] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | [2021/09/30 02:05:00] [internal_util.go:74] token validation request failed: status 400 - {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | [2021/09/30 02:05:00] [internal_util.go:69] 400 GET https://keycloak.my-domain.com/auth/realms/staging/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYa1NjbzduRjlaTUpiWDRXVU5mTlhJS2FwOG9ZMHZ1THVZZU1SUk9EQ1J3In0.eyJleHAiOjE2MzI5Njc4MDAsImlhdCI6MTYzMjk2NzUwMCwiYXV0aF90aW1lIjoxNjMyOTY3NDk5LCJqdGkiOiI4NGJjZjdiNC0yN2YzLTQ4NDktYjUzNi05OTNkNTczNzA5OWYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnN0YWdpbmcucHJlY2lzaW9uYWcub3JnL2F1dGgvcmVhbG1zL3N0YWdpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzk1NjE1YWUtN2VkNi00MWI3LWE5YWUtMjBkZmZhMTc1NjBhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXV0aGVudGljYXRpb24iLCJzZXNzaW9uX3N0YXRlIjoiZTVjM2FkMDMtNzhmNi00ZmE4LThhOTgtZTdkYjk1YjZiNmEzIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtc3RhZ2luZyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW5... {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | 123.28.110.207 - 39bea317-002b-4366-858c-01aa6f6901b6 - dathuynh@my-domain.com [2021/09/30 02:05:00] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh@my-domain.com user: PreferredUsername: token:true groups:[/pader]}

I am setting up keycloak and oauth2 for authentication in my system. The system is running in docker swarm mode and using traefik reverse-proxy. I followed this guide to set up the oauth2 container: https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#keycloak-auth-provider

I created a new client in the 'development' realm, with the Valid Redirect URL is https://oauth-keycloak.my-domain.com/oauth2/callback (it is the Oauth URL), used traefik forward auth to route the request to the Keycloak if it is unauthenticated.

I got Invalid parameter: redirect_uri for 2 case:

• I access Grafana and the request was routed to Keycloak
• I try to access this link in the OAuth config https://oauth-keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth.

I have searched and try some suggestions but they did not work for me. Hope you guys can help. I have really appreciated it.

Here is my docker swarm configuration:

  keycloak:
    image: quay.io/keycloak/keycloak:15.0.2
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.keycloak.rule=Host(`keycloak.my-domain.com`)"
        - "traefik.http.routers.keycloak.entrypoints=websecure"
        - "traefik.http.routers.keycloak.tls=true"
        - "traefik.http.routers.keycloak.tls.certresolver=leresolver"
        # Set up service
        - "traefik.http.routers.keycloak.service=keycloak-svc"
        - "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
    environment:
      - "DB_VENDOR=POSTGRES"
      - "DB_ADDR=postgis"
      - "DB_DATABASE=${POSTGRES_DB}"
      - "DB_USER=${POSTGRES_USER}"
      - "DB_PASSWORD=${POSTGRES_PASSWORD}"
      - "KEYCLOAK_USER="
      - "KEYCLOAK_PASSWORD="
      - "PROXY_ADDRESS_FORWARDING=true"
      - "KEYCLOAK_LOGLEVEL=DEBUG" # DEBUG, ERROR, INFO

  grafana:
    image: grafana/grafana
    deploy:
      resources:
        limits:
          memory: 256M
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.grafana.rule=Host(`grafana.my-domain.com`)"
        - "traefik.http.routers.grafana.entrypoints=websecure"
        - "traefik.http.routers.grafana.tls=true"
        - "traefik.http.routers.grafana.tls.certresolver=leresolver"
        # Basic HTTP authentication
        - "traefik.http.routers.grafana.middlewares=oauth-keycloak"
        # Set up service
        - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
        - "traefik.http.routers.grafana.service=grafana-svc"
    environment:
      - GF_SECURITY_ADMIN_USER=my-username
      - GF_SECURITY_ADMIN_PASSWORD=my-pasword
      - GF_USERS_ALLOW_SIGN_UP=true
    volumes:
      - "/home/app/grafana:/var/lib/grafana"

  oauth-keycloak:
    image: quay.io/oauth2-proxy/oauth2-proxy
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.oauth-keycloak.rule=Host(`oauth-keycloak.my-domain.com`) || PathPrefix(`/oauth2`)"
        - "traefik.http.routers.oauth-keycloak.entrypoints=websecure"
        - "traefik.http.routers.oauth-keycloak.tls=true"
        - "traefik.http.routers.oauth-keycloak.tls.certresolver=leresolver"
        # Set up service
        - "traefik.http.routers.oauth-keycloak.service=oauth-keycloak-svc"
        - "traefik.http.services.oauth-keycloak-svc.loadbalancer.server.port=4185"
        # Set up middlewares
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185'
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.trustForwardHeader=true'
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.authResponseHeaders=X-Forwarded-User'
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.service=oauth-keycloak-svc"
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.status=401-403"
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.query=/oauth2/sign_in"
    environment:
      OAUTH2_PROXY_CLIENT_ID: 'development'
      OAUTH2_PROXY_CLIENT_SECRET: '' 
      OAUTH2_PROXY_PROVIDER: 'keycloak'
      OAUTH2_PROXY_SCOPE: 'profile email address phone'
      OAUTH2_PROXY_LOGIN_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth'
      OAUTH2_PROXY_REDEEM_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/token'
      OAUTH2_PROXY_PROFILE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
      OAUTH2_PROXY_VALIDATE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
      
      OAUTH2_PROXY_COOKIE_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
      OAUTH2_PROXY_COOKIE_REFRESH: '1h'
      OAUTH2_PROXY_COOKIE_SECURE: 'false'
      OAUTH2_PROXY_COOKIE_SECRET: '0Y18nYVtNLzKQroYQpi0jw=='
      OAUTH2_PROXY_EMAIL_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_REVERSE_PROXY: 'true'
      OAUTH2_PROXY_WHITELIST_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: 'true'

Answer 1

You configured a valid redirect URI for https://oauth-keycloak.my-domain.com/oauth2/callback as you said. In case of accessing grafana your redirect uri should be https://grafana.my-domain.com/oauth2/callback instead. You will need to add this to the list of valid redirect URIs as well.