When using Camunda 8.8 started by the docker-compose (full) including Keycloak I try to use a different hostname than “localhost”, i.e. setting the HOST variable in the env-file. I try to set it to the hostname of the computer. But then it breaks the whole authflow, more exactly the redirect flow. I just get a page saying “Invalid parameter: redirect_uri“ when trying to access Operate on port 8088. Accessing Identity on port 8084 seems to work though (after login as usual) .. very strange.
Hi @hakanostrom,
This is a common configuration issue when using custom hostnames with Camunda 8.8 docker-compose and Keycloak authentication. The “Invalid parameter: redirect_uri” error typically occurs because some services still have hardcoded localhost values instead of properly using the ${HOST} variable.
Root Cause
The issue happens because the OAuth/OIDC redirect URIs configured in Keycloak don’t match what your services are actually requesting when using a custom hostname.
Solution Steps
1. Check Your Identity Service Configuration
Make sure your Identity service is properly configured to use the ${HOST} variable in all URLs:
identity:
environment:
IDENTITY_URL: https://${HOST}/identity
KEYCLOAK_URL: http://keycloak:18080/auth
IDENTITY_AUTH_PROVIDER_ISSUER_URL: https://${HOST}/auth/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:18080/auth/realms/camunda-platform
KEYCLOAK_INIT_OPERATE_ROOT_URL: https://${HOST}/operate
KEYCLOAK_INIT_TASKLIST_ROOT_URL: https://${HOST}/tasklist
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: https://${HOST}/optimize
2. Configure Operate Service
Ensure Operate is configured with the correct issuer URLs:
operate:
environment:
- CAMUNDA_OPERATE_IDENTITY_ISSUER_URL=https://${HOST}/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=https://${HOST}/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://${HOST}/auth/realms/camunda-platform/protocol/openid-connect/certs
3. Check for Hardcoded Values
There’s a known issue where some services (particularly web-modeler-webapp) have hardcoded localhost values. Look for any SERVER_URL: "http://localhost:8070" entries and change them to use ${HOST}:
SERVER_URL: "http://${HOST}:8070"
4. Verify Environment Variables
Make sure both HOST and KEYCLOAK_HOST variables are properly set in your .env file to your computer’s hostname.
5. Protocol Consistency
If you’re using HTTPS, ensure all URLs consistently use HTTPS throughout your configuration.
After making these changes, restart your Docker Compose stack completely:
docker-compose down
docker-compose up -d
The fact that Identity works but Operate doesn’t suggests that the redirect URIs for Operate specifically aren’t matching what Keycloak expects. This configuration should resolve the issue.
References:
Let me know if you need help with any specific part of the configuration!
After every restart of camunda in my own VM i have the same issue. A lot of them are a configuration issue within keycloak. Eventhough the env in docker-compose-file is correct there can be the issue, that keycloak checks the redirect uri against the keycloak-known “valid” redirect uri. So for me the solution was to add the additional valid uri in every config for each camunda service in keycloak. After that it worked.
Unfortunately there is a bug in Camunda identity that overwrites the keycloak config every time, the corresponding docker identity container restarts (not the keycloak container). At least that was the case in early November 2025, when i last looked into it. Perhaps it is fixed already.
Hello,
had the same issue and couldn’t let it go. After searching i stumbled upon this post and i continued my research, I tried to put my IP-Address directly into the docker-compose-full.yaml file so instead of http://${$HOST}:8088 I put http://10.10.1.xx:8088. but it didn’t work either.
SOLUTION:
You need to get into the hidden Folder “.identity“. On Windows you need to enable hidden files/folders and on linux you can type “ls -la“ to see them and then move into it with “cd .identity“ there you need to open the application.yaml and change all localhost to your IP-Address.
I found out that for some reason identity overrides the HOST variables so this solved the issue for me. If something changes I’ll update this post.