A user requests https://my.server/auth. The incoming request hits the load balancer on port 443 which then sends the request on to nginx on port 80. Nginx recognizes the /auth location and sends it over to http://server2:8080/auth where Keycloak lives. I have the following set in nginx.conf:
port_in_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
In docker I have:
environment:
...
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_FRONTEND_URL: "https://my.server/auth"
NB: The X-Forwarded-Proto used to be $scheme but because nginx lives behind the load balancer, SSL was already stripped off and the URLs that Keycloak was generating in its html/js were http://my.server/auth instead of https://my.server/auth and it would fail loading keycloak.js from an unsecure location. Forcing it to be https fixed this.
This all works. My problem is when loading another service that needs to check Keycloak auth. Example:
A user requests https://my.server/service. The incoming request hits the load balancer on port 443 which then sends the request to nginx on port 80. Nginx recognizes the /service location and sends it over to http://server1:8089/service. The service needs an auth token so it redirects to https://my.server/auth/realms/myRealm/protocol/openid-connect/auth?response_type=code&client_id=myClient&redirect_uri=http%3A%2F%2Fmy.server%2F&service%2Fstate={state}&login=true&scope=openid. The point I want to highlight is the redirect_uri which points to http and not https. This isn't correct and, appropriately, it throws an error: Invalid parameter: redirect_uri.
What do I need to do to make the redirect_uri use htts instead?
I have referenced these other similar posts without success:
