Specifying port in redirect URL not allowed ?

Configuring the server
1

Hi everyone,

Is specifying a port in the redirect URL not allowed ?

I integrate Keycloak with Apache Guacamole. It works with one of my instances. I’m having a problem with the second one.

The settings are the same in both cases.
One difference concerns the redirect URL which contains the port definition : https://bastion.*****.fr:444/guacamole/.
When connecting from Guacamole, Keycloak returns the following error :" Invalid parameter: redirect_uri".

Below the traces :

2024-09-16 11:55:19,571 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
2024-09-16 11:55:19,574 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
2024-09-16 11:55:19,574 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task PropagateLastSessionRefreshTask
2024-09-16 11:55:19,575 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper commit
2024-09-16 11:55:19,575 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
2024-09-16 11:55:23,410 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-38) new JtaTransactionWrapper
2024-09-16 11:55:23,410 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-38) was existing? false
2024-09-16 11:55:23,410 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-38) Recalculated absoluteURI to http://127.0.0.1:8090/keycloak/realms/guacamole/protocol/openid-connect/auth?scope=openid+email+profile&response_type=id_token&client_id=guacamole&redirect_uri=https%3A%2F%2Fbastion.*****.fr%3A444%2Fguacamole%2F&nonce=h3s6ic1cksr82tavr6hogvbd0a
2024-09-16 11:55:23,411 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-38) No Redirect URIs supplied
2024-09-16 11:55:23,411 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-38) new JtaTransactionWrapper
2024-09-16 11:55:23,412 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-38) was existing? true
2024-09-16 11:55:23,412 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-38) JtaTransactionWrapper commit
2024-09-16 11:55:23,412 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-38) JtaTransactionWrapper end
2024-09-16 11:55:23,412 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-38) JtaTransactionWrapper resuming suspended
2024-09-16 11:55:23,412 WARN [org.keycloak.events] (executor-thread-38) type=“LOGIN_ERROR”, realmId=“guacamole”, realmName=“guacamole”, clientId=“guacamole”, userId=“null”, ipAddress=“93.93.153.135”, error=“invalid_redirect_uri”, redirect_uri=“https://bastion.*****.fr:444/guacamole/”
2024-09-16 11:55:23,412 DEBUG [WebApplicationException] (executor-thread-38) Restarting handler chain for exception exception: org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker$AuthorizationCheckException.throwAsErrorPageException(AuthorizationEndpointChecker.java:400)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:154)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)

Thanks,

Rémy

2

Hi,

I found the cause of my problem. It had nothing to do with the port.

Apache Guacamole delegates the authentication to Keycloak via the “Implicit Fow”. So I disabled the “Standard Flow”.
In the UI if “Standard Flow” is unchecked, the field “Valid redirect URIs” is not displayed.

To resolved the problem, I did it like this in the UI :

  • check the “Standard Fow” box,
  • Entering the “Valid redirect URIs”,
  • uncheck the “Standard Fow” box

Rémy