keycloak Posts

Reading Original IP on Keycloak when Installed Behind a Reverse Proxy

Keycloak, or Red Hat Single SignOn, have the capability of capturing ip of every request which are connected to it. But there are scenarios where Keycloak is located behind a reverse proxy, and Keycloak would capture reverse proxy’s ip instead of original requestor IP.

The workaround is actually quite simple although can be at different xml files depends on your server , can add below configuration on default-server tag.

<server name="default-server">
	<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"
		proxy-address-forwarding="true" />
	<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"
		proxy-address-forwarding="true" />
	<host name="default-host" alias="localhost">
		<location name="/" handler="welcome-content"/>
		<http-invoker security-realm="ApplicationRealm"/>

[Keycloak] How to Solve “/openid-connect/userinfo” which Gives JWT Response instead of A Simple JSON

Previously expecting a json response from “/openid-connect/userinfo” API , such as below screenshot,

But suddenly someone change configuration somewhere which makes previous response changed into,

Took quite sometime for me to findout which part of Kecloak configuration which makes this happens. Finally i found the proper configuration, it is located on “Fine Grain OpenID Connect Configuration”. Previously it is “RS512”, changing into “unsigned” solve my problem.