Search code examples
spring-bootoauth-2.0keycloakspring-security-oauth2

Invalid parameter "Invalid parameter: redirect_uri" Key cloak doesn't care what redirect URI I use

I want my Spring Boot app to leverage spring security and oath2 capabilities to authenticate using the a Keycloak server at https://auth.mycompanytest.com/

My initial attempt sends the user to:

https://auth.mycompanytest.com/auth/realms/MycompanyProfiling/protocol/openid-connect/auth?response_type=code&client_id=my-app&state=3fleTCJg4dBwJNjAnbkuq9m2Lwfm7_KwcOsOvO5k2nM%3D&redirect_uri=%22http://localhost:8080/login/oauth2/code/keycloak%22

Keycloak then says Invalid parameter: redirect_uri

I have tried these things for redirect_uri: http://localhost:8080/* https://mycompanytest.com/*

But it doesn't care.

Snippet of application.properties:

spring.security.oauth2.client.registration.keycloak.client-id= ${KEYCLOAK_CLIENT_ID}
spring.security.oauth2.client.registration.keycloak.client-secret= ${KEYCLOAK_CLIENT_SECRET}
spring.security.oauth2.client.registration.keycloak.provider=keycloak
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.redirect-uri="{baseUrl}/login/oauth2/code/keycloak"
spring.security.oauth2.client.provider.keycloak.token-uri=http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.authorization-uri=https://auth.mycompanytest.com/auth/realms/MyRealm/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak.user-info-uri= http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
spring.application.name=my-app
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/auth/realms/mycompany

*In the interest of privacy and anonymity I substitute MyCompany, MyRealm, MyApp (etc) in place of the real application. *

Solution

  • See redirect_uri parameter: %22http://localhost:8080/login/oauth2/code/keycloak%22. It is URL encoded value, so decoded value is "http://localhost:8080/login/oauth2/code/keycloak" - please note that you have " in the redirect URL so it can't match value, which you allowed in the client configuraton http://localhost:8080/*

    I guess problem is your config:

    spring.security.oauth2.client.registration.keycloak.redirect-uri="{baseUrl}/login/oauth2/code/keycloak"

    I would try:

    spring.security.oauth2.client.registration.keycloak.redirect-uri={baseUrl}/login/oauth2/code/keycloak

OR

spring.security.oauth2.client.registration.keycloak.redirect-uri=http://localhost:8080/login/oauth2/code/keycloak

    Target is to remove quotes (%22) from the redirect_uri parameter.