Search code examples
reverse-proxykeycloakundertow

undertow subsystem configuration in keycloak for http listener

Hello every one I am trying to configure keycloak and while skimming around the docs I have come across this config for undertow subsystem in wildfly (upon which keycloak runs) and verified it in my standalone.xml file

<server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
.....
.....

 <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>

Now what I want to know is why the http-listener has a redirect-socket set to "https" as this listener is supposed to be listening for http requests made to the keycloak server? right? and we do have a separate https-listener. Also in a case of reverse proxy sitting in front of keycloak all requests made to keycloak via the proxy using http shall also end up on the http listener right? so why is http-listener redirecting request to a https socket binding?

Solution

  • What at first seems unreasonable has a very simple explanation: Keycloak should communicate with Users and Client over https. So, if a users attempts to start a session over http, he immediately redirected to https. On the other hand, if a user already started a session over https, there is no need to redirect him further.