Keycloak doesn't accept redirect_uri but OIDCRedirectURI is mandatory #1316

Marek77 · 2025-04-15T09:21:23Z

Marek77
Apr 15, 2025

Hi, I'm running Apache with libapache2-mod-auth-openidc v2.4.16.11-1.bullseye (latest from the Releases page) behind Keycloak v23.0.7 and following the wiki I setup the apache with:

LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so

   OIDCCryptoPassphrase <RANDOM LONG SECRET>
   OIDCProviderMetadataURL https://<KEYCLOAK FQDN>/realms/master/.well-known/openid-configuration
   OIDCClientID <MY TEST CLIENT ID>
   OIDCClientSecret <SECRET>
   OIDCRedirectURI http://<APACHE FQDN>/mytestclientapp/protected
   OIDCRemoteUserClaim preferred_username

   # Added after hitting "header X-Forwarded-Proto received but OIDCXForwardedHeaders not configured for it"
   OIDCXForwardedHeaders X-Forwarded-Proto
   # Added after hitting "the number of existing, valid state cookies has exceeded the limit"
   OIDCStateMaxNumberOfCookies 10 true

   <Location /mytestclientapp/>
       AuthType openid-connect
       Require valid-user
   </Location>
   Alias "/mytestclientapp/" "/var/www/html/"

I get redirected to the Keycloak server but I cannot log in, I'm getting only "We are sorry... Invalid parameter: redirect_uri"

Keycloak removed support for redirect_uri in v18, but if I comment-out OIDCRedirectURI in Apache config the Apache server doesn't start:

[Tue Apr 15 09:16:32.963005 2025] [auth_openidc:error] [pid 1] oidc_check_config_error: mandatory parameter 'OIDCRedirectURI' is not set
[Tue Apr 15 09:16:32.963020 2025] [:emerg] [pid 1] AH00020: Configuration Failed, exiting

What is the correct configuration for recent keycloak versions?

Answered by zandbelt

Apr 15, 2025

Keycloak would not remove support for redirect_uri but most probably the value you are sending has not been configured for your client in the Keycloak administrative configuration; note that the value must exactly match http://<APACHE FQDN>/mytestclientapp/protected (i.e. in your case plain http and no trailing slash or anything)

View full answer

zandbelt · 2025-04-15T09:26:35Z

zandbelt
Apr 15, 2025
Maintainer

Keycloak would not remove support for redirect_uri but most probably the value you are sending has not been configured for your client in the Keycloak administrative configuration; note that the value must exactly match http://<APACHE FQDN>/mytestclientapp/protected (i.e. in your case plain http and no trailing slash or anything)

2 replies

Marek77 Apr 15, 2025
Author

Thanks, this was it. The Valid redirect URIs entry http://<APACHE FQDN>/mytestclientapp/* also works.

Interestingly https://www.keycloak.org/docs/latest/upgrading/index.html#openid-connect-logout says "The parameter redirect_uri is no longer supported"...

zandbelt Apr 15, 2025
Maintainer

that link is about logout, not about login

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Keycloak doesn't accept redirect_uri but OIDCRedirectURI is mandatory #1316

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Keycloak doesn't accept redirect_uri but OIDCRedirectURI is mandatory #1316

Uh oh!

Marek77 Apr 15, 2025

Replies: 1 comment · 2 replies

Uh oh!

zandbelt Apr 15, 2025 Maintainer

Uh oh!

Marek77 Apr 15, 2025 Author

Uh oh!

zandbelt Apr 15, 2025 Maintainer

Marek77
Apr 15, 2025

Replies: 1 comment 2 replies

zandbelt
Apr 15, 2025
Maintainer

Marek77 Apr 15, 2025
Author

zandbelt Apr 15, 2025
Maintainer