apimanui redirect to external URL

[emm388]

I have apiman v2.2.3 running in Docker behind an nginx reverse proxy and I can't work out how to redirect to the correct external URL once it returns from Keycloak.

The Keycloak realm is configured with the correct redirect URL (i.e. the external URL) and when I hit the apimanui page it correctly redirects to the Keycloak login page but it provides the URL of the internal container as the redirect_url.

For example, it is accesible at https://www.<mydomain>.com/apiman/apimanui. When I navigate to this I get a 302 Found response redirecting me to Keycloak with the following Location header:

https://keycloak.<mydomain>.com/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=http://<containerhostname>:8080/apimanui&state=584874f4-9383-4693-ace1-2d19ed989f31&login=true&scope=openid

Is it picking up the hostname of the apiman container and using this as the redirect? How do I tell it to use a different URL?

This doesn't appear to be related to the Keycloak redirect configuration as even if I add http://<containerhostname>:8080/apimanui as a valid redirect this is not accessible to my browser so will not work.

[msavy]

Please be aware that Apiman 2.2.3.Final is affected by a CVE https://nvd.nist.gov/vuln/detail/CVE-2022-47551

Apiman 2.2.3.Final is no longer supported in the upstream community. If you need support for an older version of Apiman, please speak to your support provider.

If you try using Apiman 3.0.0.Final, you will probably have better luck.

The reason for your issue is that Keycloak and Apiman are in the same container with the old images so they "talk" internally to each other inside the Docker container and that can cause weirdness. You can get around that by setting some environment variables in Keycloak to tell it what the frontend URL is.

Which version of Keycloak you are using will dictate the name of the variable, but it used to be KEYCLOAK_FRONTEND_URL.

Edit: Please note also that you will need to make sure your redirect URLs are set correct in Keycloak admin console!

[msavy]

I should clarify, I mean an environment variable for Keycloak. e.g. export KEYCLOAK_FRONTEND_URL=<whatever your keycloak frontend url should be>

[msavy]

Also, please see my documentation for setting up Keycloak for Apiman 3 here — https://www.apiman.io/apiman-docs/installation-guide/latest/keycloak.html

[emm388]

Thanks for the response.

I've upgraded to 3.0.0.Final and still having the same problem.

I don't understand how setting the Keycloak frontend URL will help here. The Apiman UI is correctly redirecting to my Keycloak instance (so it's getting the correct auth endpoint, which I've set as an environment variable in the apiman container) but it's telling Keycloak to redirect back to the wrong location.

Is there a way that I can tell apiman what its own external URL is?

[msavy]

It's always Keycloak that decides what the return URL is, IIRC

It might be that KC is picking something up from your nginx proxy that's
messing things up.

Depending which Keycloak version you are using, there are different
environment variables to set that ensure the proxy forwarded headers are
paid attention to.

You also need to ensure forwarding headers are set/forwarded properly in
nginx config.

I'm traveling at the moment, so don't have access to my usual resources at
the moment and am on my phone. Hopefully that's enough to get you going!

I can't tell from your profile, but if you're a company that works with me,
feel free to email directly marc@blackparrotlabs.io

[msavy]

keycloak.org/server/reverseproxy