starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Keycloak no longer supports redirect_uri #425

New Issue
Closed
opened 2025-12-29 01:28:59 +01:00 by adam · 7 comments
adam commented 2025-12-29 01:28:59 +01:00
Owner
Copy Link

Originally created by @jerrac on GitHub (Feb 5, 2023).

Bug description
Authenticating to Keycloak fails with a "Invalid parameter: redirect_uri" message

To Reproduce

  • Configure a Keycloak 20.0.1 server, realm, and client.
  • Configure Headscale to use it.
  • Try to authenticate Headscale.

Context info

  • Version of headscale used: 0.30.0
  • Version of tailscale client: Android 1.30.0
  • OS: Headscale server is running off the official Docker image on an Ubuntu 22.04 server.
  • The relevant config parameters you used
oidc:
  issuer: "https://< my keycloak instance >/realms/< my realm >"
  client_id: "< the client id I configured for headscale >"
  client_secret: "< the secret from keycloak >"
  allowed_groups:
    - /headscale

According to these docs "The parameter redirect_uri is no longer supported"

Today is the first time I've tried anything with headscale, and I'm no Keycloak expert, but that doc page seems fairly cut and dried, so I thought I'd at least give you a heads up about it since I didn't find anything about it when I searched.

Now, back to figuring out how to use headscale... :)

Originally created by @jerrac on GitHub (Feb 5, 2023). **Bug description** Authenticating to Keycloak fails with a "Invalid parameter: redirect_uri" message **To Reproduce** * Configure a Keycloak 20.0.1 server, realm, and client. * Configure Headscale to use it. * Try to authenticate Headscale. **Context info** - Version of headscale used: 0.30.0 - Version of tailscale client: Android 1.30.0 - OS: Headscale server is running off the official Docker image on an Ubuntu 22.04 server. - The relevant config parameters you used ```yaml oidc: issuer: "https://< my keycloak instance >/realms/< my realm >" client_id: "< the client id I configured for headscale >" client_secret: "< the secret from keycloak >" allowed_groups: - /headscale ``` According to [these docs](https://www.keycloak.org/docs/latest/upgrading/index.html#openid-connect-logout) "The parameter redirect_uri is no longer supported" Today is the first time I've tried anything with headscale, and I'm no Keycloak expert, but that doc page seems fairly cut and dried, so I thought I'd at least give you a heads up about it since I didn't find anything about it when I searched. Now, back to figuring out how to use headscale... :)
adam added the bug label 2025-12-29 01:28:59 +01:00
adam closed this issue 2025-12-29 01:28:59 +01:00
adam commented 2025-12-29 01:29:00 +01:00
Author
Owner
Copy Link

@unreality commented on GitHub (Feb 8, 2023):

I'm fairly sure this is a OIDC configuration error. redirect_uri is used in the login flow and is part of the standard. The docs you linked to are talking about the logout flow instead.

Check that your Valid Redirect URIs pattern for your Client in Keycloak match the one that headscale sends (it will be in your browser address bar, urlencoded)

@unreality commented on GitHub (Feb 8, 2023): I'm fairly sure this is a OIDC configuration error. `redirect_uri` is used in the login flow and is part of the standard. The docs you linked to are talking about the logout flow instead. Check that your `Valid Redirect URIs` pattern for your Client in Keycloak match the one that headscale sends (it will be in your browser address bar, urlencoded)
adam commented 2025-12-29 01:29:01 +01:00
Author
Owner
Copy Link

@jerrac commented on GitHub (Feb 9, 2023):

I think I did check the url for the proper redirect uri. I'll test again when I can.

That said, I did try adding --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true to my Keycloak startup. And that did make authenticating via Keycloak work. So I'd think my redirect uri is correct.

@jerrac commented on GitHub (Feb 9, 2023): I think I did check the url for the proper redirect uri. I'll test again when I can. That said, I did try adding `--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true` to my Keycloak startup. And that did make authenticating via Keycloak work. So I'd think my redirect uri is correct.
adam commented 2025-12-29 01:29:01 +01:00
Author
Owner
Copy Link

@madjam002 commented on GitHub (Feb 14, 2023):

I just upgraded from Keycloak 15 to 20.0.3 and have no issues using Headscale. Keycloak is deployed using the Bitnami Helm Chart.

I don't see how the redirect_uri being deprecated from the logout flow is relevant so I think this bug can be closed?

@madjam002 commented on GitHub (Feb 14, 2023): I just upgraded from Keycloak 15 to 20.0.3 and have no issues using Headscale. Keycloak is deployed using the Bitnami Helm Chart. I don't see how the redirect_uri being deprecated from the logout flow is relevant so I think this bug can be closed?
adam commented 2025-12-29 01:29:01 +01:00
Author
Owner
Copy Link

@jerrac commented on GitHub (Feb 14, 2023):

Er, sorry, but I'd like to try and reproduce the issue in a test environment first. It being just something to do with the logout flow isn't making any sense. The error occurs when logging in. Not out.

FYI, I'm using bitnami's Keycloak image as well. Just not the helm chart.

@jerrac commented on GitHub (Feb 14, 2023): Er, sorry, but I'd like to try and reproduce the issue in a test environment first. It being just something to do with the logout flow isn't making any sense. The error occurs when logging in. Not out. FYI, I'm using bitnami's Keycloak image as well. Just not the helm chart.
adam commented 2025-12-29 01:29:01 +01:00
Author
Owner
Copy Link

@madjam002 commented on GitHub (Feb 14, 2023):

Headscale doesn't do anything with OIDC logout, it just calls the regular authorization code flow and then validates the id_token. Triple check your redirect URLs are correct and don't have any extraneous characters as you'll get the Invalid parameter: redirect_uri error if it's incorrect.

@madjam002 commented on GitHub (Feb 14, 2023): Headscale doesn't do anything with OIDC logout, it just calls the regular authorization code flow and then validates the id_token. Triple check your redirect URLs are correct and don't have any extraneous characters as you'll get the `Invalid parameter: redirect_uri` error if it's incorrect.
adam commented 2025-12-29 01:29:02 +01:00
Author
Owner
Copy Link

@jerrac commented on GitHub (Feb 17, 2023):

I'm trying to test this on my internal network, where I use my own little Step CA for ACME certs. The thing is that Headscale crashes when I point it at the instance of Keycloak I set up.

2023-02-17T15:20:18Z ERR go/src/headscale/oidc.go:52 > Could not retrieve OIDC Config: Get "https://tmpcloak.tipperthecat.life/realms/master/.well-known/openid-configuration": x509: certificate signed by unknown authority error="Get \"https://tmpcloak.tipperthecat.life/realms/master/.well-known/openid-configuration\": x509: certificate signed by unknown authority"
2023-02-17T15:20:18Z FTL go/src/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="Get \"https://tmpcloak.tipperthecat.life/realms/master/.well-known/openid-configuration\": x509: certificate signed by unknown authority"

Headscale is running in a headscale/headscale:latest container. Is there a way to tell it to trust my CA?

@jerrac commented on GitHub (Feb 17, 2023): I'm trying to test this on my internal network, where I use my own little Step CA for ACME certs. The thing is that Headscale crashes when I point it at the instance of Keycloak I set up. ``` 2023-02-17T15:20:18Z ERR go/src/headscale/oidc.go:52 > Could not retrieve OIDC Config: Get "https://tmpcloak.tipperthecat.life/realms/master/.well-known/openid-configuration": x509: certificate signed by unknown authority error="Get \"https://tmpcloak.tipperthecat.life/realms/master/.well-known/openid-configuration\": x509: certificate signed by unknown authority" 2023-02-17T15:20:18Z FTL go/src/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="Get \"https://tmpcloak.tipperthecat.life/realms/master/.well-known/openid-configuration\": x509: certificate signed by unknown authority" ``` Headscale is running in a `headscale/headscale:latest` container. Is there a way to tell it to trust my CA?
adam commented 2025-12-29 01:29:02 +01:00
Author
Owner
Copy Link

@jerrac commented on GitHub (Feb 18, 2023):

I installed headscale directly on a vm to get around the cert issue.

Couldn't recreate my issue. So I turned off that flag on my prod Keycloak instance. No issue there anymore either.

No idea what I was running into before.

:\

@jerrac commented on GitHub (Feb 18, 2023): I installed headscale directly on a vm to get around the cert issue. Couldn't recreate my issue. So I turned off that flag on my prod Keycloak instance. No issue there anymore either. No idea what I was running into before. :\
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#425
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?