Fix Keycloak login: enable assume_ssl for reverse proxy #154

New issue

Closed

opened 2026-06-07 04:18:13 +00:00 by ldraney · 0 comments

ldraney commented 2026-06-07 04:18:13 +00:00

Owner

Copy link

Type

Bug

Lineage

Related to ldraney/landscaping-assistant #151 (login page fix deployed but Keycloak rejects the redirect).

Repo

ldraney/landscaping-assistant

What Broke

Clicking "Sign in with Keycloak" on the login page shows Keycloak's grey "We are sorry" error page. Keycloak logs: error="invalid_redirect_uri", clientId="landscaping-assistant".

Root cause: config.assume_ssl = true is commented out in config/environments/production.rb. Without it, Rails doesn't trust X-Forwarded-Proto from the Tailscale funnel reverse proxy, so OmniAuth auto-derives the callback URL as http://... instead of https://.... Keycloak only accepts https://landscaping-assistant.tail5b443a.ts.net/auth/keycloak/callback.

Repro Steps

1. Visit https://landscaping-assistant.tail5b443a.ts.net/
2. Get redirected to /login
3. Click "Sign in with Keycloak"
4. Observe: Keycloak grey error page "We are sorry"

Expected Behavior

Clicking sign-in should show the Keycloak login form and authenticate the user.

Environment

• Cluster/namespace: prod (landscaping-assistant)
• Image: d42018a
• Keycloak realm: landscaping, client: landscaping-assistant

Acceptance Criteria

• Clicking sign-in shows Keycloak login form
• Successful login redirects back to the app as authenticated user
• Super admin can log in and see admin tabs

Related

• landscaping-assistant project
• ldraney/landscaping-assistant #151 — login page fix (prerequisite, already deployed)

### Type Bug ### Lineage Related to `ldraney/landscaping-assistant #151` (login page fix deployed but Keycloak rejects the redirect). ### Repo `ldraney/landscaping-assistant` ### What Broke Clicking "Sign in with Keycloak" on the login page shows Keycloak's grey "We are sorry" error page. Keycloak logs: `error="invalid_redirect_uri"`, `clientId="landscaping-assistant"`. Root cause: `config.assume_ssl = true` is commented out in `config/environments/production.rb`. Without it, Rails doesn't trust `X-Forwarded-Proto` from the Tailscale funnel reverse proxy, so OmniAuth auto-derives the callback URL as `http://...` instead of `https://...`. Keycloak only accepts `https://landscaping-assistant.tail5b443a.ts.net/auth/keycloak/callback`. ### Repro Steps 1. Visit https://landscaping-assistant.tail5b443a.ts.net/ 2. Get redirected to /login 3. Click "Sign in with Keycloak" 4. Observe: Keycloak grey error page "We are sorry" ### Expected Behavior Clicking sign-in should show the Keycloak login form and authenticate the user. ### Environment - Cluster/namespace: prod (landscaping-assistant) - Image: d42018a - Keycloak realm: landscaping, client: landscaping-assistant ### Acceptance Criteria - [ ] Clicking sign-in shows Keycloak login form - [ ] Successful login redirects back to the app as authenticated user - [ ] Super admin can log in and see admin tabs ### Related - `landscaping-assistant` project - `ldraney/landscaping-assistant #151` — login page fix (prerequisite, already deployed)

ldraney referenced this issue from a commit 2026-06-07 04:19:13 +00:00

Enable assume_ssl for reverse proxy HTTPS callback URLs

ldraney referenced this issue from a pull request that will close it, 2026-06-07 04:19:29 +00:00

Enable assume_ssl for reverse proxy HTTPS callback URLs #155

ldraney referenced this issue 2026-06-07 04:20:10 +00:00

Enable assume_ssl for reverse proxy HTTPS callback URLs #155

ldraney referenced this issue from a commit 2026-06-07 04:23:22 +00:00

Enable assume_ssl for reverse proxy HTTPS callback URLs

ldraney referenced this issue from a pull request that will close it, 2026-06-07 04:23:55 +00:00

Enable assume_ssl for reverse proxy HTTPS callbacks #156

ldraney closed this issue 2026-06-07 04:27:00 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs/update-app-architecture

revert-213

move-other-crew-bottom-remove-schedule

feature/today-view-improvements

154-enable-assume-ssl

revert-145-person-icon

docs/user-stories-auth

docs/update-infra-pipeline-post-incident

fix-cache-step-blocking-deploy

fix-kaniko-registry-pull

deactivate-from-today

feature/quick-address-entry

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/landscaping-assistant#154

No description provided.