[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue
Marek Posolda
mposolda at redhat.com
Thu Jan 28 09:35:02 EST 2016
Does login through Google works if you don't use nginx proxy? Is there
anything in the log?
Marek
On 28/01/16 13:23, Adrian Matei wrote:
> Thanks Marek, that fixed the NoClassDefFoundError, but now I am
> getting the same "This webpage has a redirect loop" message when
> trying to sign in with Google also...
>
> On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> I suppose you're using Keycloak 1.7? There is known issue related
> to this NoClassDefFoundError . You can workaround it by edit file
> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
> and add the line:
>
> <module name="org.keycloak.keycloak-broker-core"/>
>
> into dependencies section. Same for module
> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
>
> Marek
>
>
>
> On 28/01/16 06:47, Adrian Matei wrote:
>> Hi everyone,
>>
>> I am experimenting "too many redirects"/infinite loops issues in
>> the browser when I try to connect with social providers. I am
>> also getting internal server error on Chrome via google account
>> (Caused by: java.lang.NoClassDefFoundError:
>> org/keycloak/broker/provider/BrokeredIdentityContext). It might
>> be my configuration, but I did everything "by the book":
>>
>> # realm Require SSL:none
>>
>> #nginx
>> http {
>> gzip on;
>> gzip_proxied any;
>> #gzip_proxied no-cache no-store private expired auth;
>> gzip_types text/plain text/html text/css application/json
>> application/x-javascript application/xml application/xml+rss
>> text/javascript application/javascript text/x-js;
>> #gzip_min_length 1000;
>>
>>
>> server_tokens off; #hides nginx version and OS running on
>> include /etc/nginx/mime.types;
>>
>>
>> upstream tomcat_server {
>> server localhost:8080;
>> }
>> upstream keycloak_server {
>> server localhost:8180;
>> }
>>
>> server {
>> listen 80;
>> server_name podcastmania.ro
>> <http://podcastmania.ro/>;
>> return 301 https://$host$request_uri;
>> }
>>
>> server {
>>
>> listen 443 ssl;
>>
>> server_name podcastmania.ro
>> <http://podcastmania.ro/> www.podcastmania.ro
>> <http://www.podcastmania.ro>;
>>
>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>> location / {
>> root /opt/tomcat/webapps/ROOT;
>> try_files $uri /maintenance.html @tomcat;
>> }
>>
>> location @tomcat {
>> proxy_pass http://tomcat_server
>> <http://tomcat_server/>;
>>
>> proxy_set_header Host $host; #to change the
>> "Host" header set by default to $proxy_host to $host - the
>> originating host request
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> }
>>
>>
>> location /auth/ {
>> root
>> /opt/keycloak/standalone/configuration/themes/keycloak/;
>> try_files $uri @keycloak;
>> }
>>
>> location @keycloak {
>> proxy_pass http://keycloak_server
>> <http://keycloak_server/>;
>>
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> proxy_set_header X-Forwarded-Port 443;
>> }
>>
>>
>> }
>>
>>
>> # standalone.xml
>> <subsystem xmlns="urn:jboss:domain:undertow:2.0">
>> <buffer-cache name="default"/>
>> <server name="default-server">
>> <http-listener name="default"
>> socket-binding="http" *redirect-socket="proxy-https"
>> proxy-address-forwarding="true"*/>
>> <host name="default-host" alias="localhost">
>> <location name="/" handler="welcome-content"/>
>> <filter-ref name="server-header"/>
>> <filter-ref name="x-powered-by-header"/>
>> </host>
>> </server>
>>
>> <socket-binding-group name="standard-sockets"
>> default-interface="public"
>> port-offset="${jboss.socket.binding.port-offset:100}">
>> <socket-binding name="management-http"
>> interface="management" port="${jboss.management.http.port:9990}"/>
>> <socket-binding name="management-https"
>> interface="management" port="${jboss.management.https.port:9993}"/>
>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>> <socket-binding name="http" port="${jboss.http.port:8080}"/>
>> <socket-binding name="https"
>> port="${jboss.https.port:8443}"/>
>> <socket-binding name="txn-recovery-environment" port="4712"/>
>> <socket-binding name="txn-status-manager" port="4713"/>
>> * <socket-binding name="proxy-https" port="443"/>*
>> <outbound-socket-binding name="mail-smtp">
>> <remote-destination host="localhost" port="25"/>
>> </outbound-socket-binding>
>> </socket-binding-group>
>>
>> # app:spring security configuration
>> <context:component-scan
>> base-package="org.keycloak.adapters.springsecurity" />
>>
>> <security:authentication-manager alias="authenticationManager">
>> <security:authentication-provider
>> ref="keycloakAuthenticationProvider" />
>> </security:authentication-manager>
>>
>> <bean id="adapterDeploymentContext"
>> class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
>> <constructor-arg value="classpath:keycloak.json" />
>> </bean>
>> <bean id="keycloakAuthenticationEntryPoint"
>> class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
>> />
>> <bean id="keycloakAuthenticationProvider"
>> class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
>> />
>> <bean id="keycloakPreAuthActionsFilter"
>> class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
>> />
>> <bean id="keycloakAuthenticationProcessingFilter"
>> class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
>> <constructor-arg name="authenticationManager"
>> ref="authenticationManager" />
>> </bean>
>>
>> <bean id="keycloakLogoutHandler"
>> class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
>> <constructor-arg ref="adapterDeploymentContext" />
>> </bean>
>>
>> <bean id="logoutFilter"
>> class="org.springframework.security.web.authentication.logout.LogoutFilter">
>> <constructor-arg name="logoutSuccessUrl" value="/" />
>> <constructor-arg name="handlers">
>> <list>
>> <ref bean="keycloakLogoutHandler" />
>> <bean
>> class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
>> />
>> </list>
>> </constructor-arg>
>> <property name="logoutRequestMatcher">
>> <bean
>> class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
>> <constructor-arg name="pattern" value="/sso/logout**" />
>> <constructor-arg name="httpMethod" value="GET" />
>> </bean>
>> </property>
>> </bean>
>>
>> <security:http auto-config="false" use-expressions="true"
>> entry-point-ref="keycloakAuthenticationEntryPoint">
>> <security:custom-filter ref="keycloakPreAuthActionsFilter"
>> before="LOGOUT_FILTER" />
>> <security:custom-filter
>> ref="keycloakAuthenticationProcessingFilter"
>> before="FORM_LOGIN_FILTER" />
>> <security:intercept-url pattern="/users/registration"
>> access="permitAll"/>
>> <security:intercept-url
>> pattern="/users/registration/confirm-email" access="permitAll"/>
>> <security:intercept-url pattern="/users/registration/confirmed"
>> access="permitAll"/>
>> <security:intercept-url pattern="/users/password-forgotten"
>> access="permitAll"/>
>> <security:intercept-url
>> pattern="/users/password-forgotten/confirm-email"
>> access="permitAll"/>
>> <security:intercept-url
>> pattern="/users/password-forgotten/confirmed" access="permitAll"/>
>> <security:intercept-url pattern="/users/**/*"
>> access="hasRole('ROLE_USER')"/>
>> <security:intercept-url pattern="/**" access="permitAll"/>
>> <security:custom-filter ref="logoutFilter"
>> position="LOGOUT_FILTER" />
>> </security:http>
>>
>> Has anyone faced similar issues?
>>
>> Thanks,
>> Adrian
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/60ac2509/attachment-0001.html
More information about the keycloak-user
mailing list