Running Apiman Manager behind reverse proxy with external keycloak

[esbakker]

Hi,

I'm having some issues with running the apiman manager behind a reverse proxy. I'm using the docker.io/apiman/wildfly-manager:2.2.3.Final image, and deploying that in OpenShift. I created a route with tls.
I updated that standalone-apiman.xml to enable proxy-address-forwarding for the http-listener.
I can navigate to the https endpoint and I am being redirected to keycloak, where I can login (so at this point the redirect_uri is valid https).
But when I'm logged in it only shows Forbidden. In the logs I see the following message:

10:38:03,724 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token
10:38:03,724 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) status from server: 400
10:38:03,724 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) {"error":"invalid_grant","error_description":"Incorrect redirect_uri"}

And in the keycloak logs:

2023-12-07 10:45:39,446 WARN [org.keycloak.events] (executor-thread-3) type=CODE_TO_TOKEN_ERROR, realmId=apiman, clientId=apimanui, userId=, ipAddress=, error=invalid_code, grant_type=authorization_code, code_id=8, client_auth_method=client-secret

It's working fine when using http instead of https. And we're running a lot more applications on OpenShift that don't have any issues (running spring boot/tomcat or nginx). So I'm assuming it's a wildfly or apiman.

Is there some setting that I'm missing?

[jahiru22ec]

What version of keycloak are you using?

[esbakker]

The latest (keycloak 23.0.1).

Although I have the feeling it might be an issue with wildfly or the wildfly keycloak adapter, since that's the one that requests the code with the incorrect url?

[jahiru22ec]

That's right, I've tested wildfly apiman with Keycloak 23.0.0+ and it has the same drawback, possibly due to a removal of the wildfly adapter clients in Keycloak 23+.

I haven't had much time to dig deeper, but what worked for me was enabling a Keycloak version 22.0.0.5 specifically for apiman.

If you have a single authentication domain and you need to maintain the latest version of Keycloak and you also have to run apiman, you can use a reverse proxy for the Keycloak authentication server that has both versions running through the same domain and using a path, for example /v1/ to direct you to the specific version of Keycloak that works well with Apiman.

[esbakker]

Thanks for looking in to it. Unfortunately downgrading or running a separate Keycloak is not really an option for us. Should I file a bug to make this work with newer Keycloak? Or are there other options to make it work? I also saw a tomcat-manager docker image, but couldn't find any documentation about running/configuring that.

[kirby0025]

Hi,
Just passing by to say that I had the same issue that @esbakker and downgrading keycloak in 22.0.5 resolved the issue.
Which is not ideal since it block upgrades of keycloak, but it's juste a PoC for now so I guess I can live with that.

[jahiru22ec]

Thanks to this answer I have been able to work with the new versions of Keycloak and Apiman Wildfly.

---

Yep! It's the iss, if you see the two redirect_uri are just different because of the iss param. Go to your client and in the Advanced tab set Exclude Issuer From Authentication Response to ON.

This problem is not related to teh changes in the redirect_uri validation but with the new iss parameter introduced by the spec. Your client does not remove it from the URI.

Originally posted by @rmartinc in keycloak/keycloak#25684 (reply in thread)

[msavy]

Interesting. I'm currently working on some code in this area for v4. It may be worth adding some test cases.

…

On Mon, 14 Jul 2025, 03:36 jahiru22ec, ***@***.***> wrote: Yep! It's the iss, if you see the two redirect_uri are just different because of the iss param. Go to your client and in the Advanced tab set Exclude Issuer From Authentication Response to ON. This problem is not related to teh changes in the redirect_uri validation but with the new iss parameter introduced by the spec. Your client does not remove it from the URI. *Originally posted by @rmartinc <https://github.com/rmartinc> in keycloak/keycloak#25684 (reply in thread) <keycloak/keycloak#25684 (reply in thread)>* — Reply to this email directly, view it on GitHub <#2629 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADHMWI76RGTURST5KPHOWD3IMJRNAVCNFSM6AAAAACBNZEEXSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZUG4YTAMQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>