How to change redirect_base variable on Nginx side without affecting authorization flow?

[Evsegz]

Hello,

As it is: we have many backend applications on which we want to enforce authentication. And Nginx should pass the correct request URI, which will be in the client’s configuration on Identity Provider’s side (KeyCloak). So, for each application we must create additional record in KeyCloak’s client parameters. In a situation where we have thousands of applications this is impossible, so we must change redirect_base variable on Nginx side. But when we tried to do this – request didn’t get some cookies (auth_redir primarily) and authorization flow didn’t work correctly.

Could you please suggest how to change this variable correctly without affecting the authorization flow? Or maybe there are other ways to fix the root cause of the problem?

[lcrilly]

Please explain this in more detail. Why does Keycloak need to know which URI the end user requested?

[Evsegz]

Hello @lcrilly,
KeyCloak doesn't have to, but if, for example, somebody comes from Nginx to KeyCloak with URI "123.com". 123.com is redirect_base of the request. Nginx will add /_codexch location to the request. KeyCloak will validate client credentials and other parameters of the request - scope and redirect uri. And if redirect uri doesn't match - there will be an error. Thus, for each application behind Nginx there must be a valid redirect uri on KeyCloak side. Or am I wrong?

[lcrilly]

Each application has a unique hostname (FQDN)? Is there a common domain name (*.foo.com)?
Setting a unique redirect URI in Keycloak for each one is not practical?

[Evsegz]

Hello @lcrilly,
Yeah, you’re right, each application (or group of application) has a unique hostname. And yes, common domain name exists, but OIDC protocol (as I remember) doesn’t allow to use wildcards in redirect URIs, so I’m not sure how it could help.
Too many applications to set a unique redirect URI for each one on the KeyCloak side.