[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue

Adrian Matei adrianmatei at gmail.com
Sat Jan 30 01:13:23 EST 2016


Hey Doug,

Thanks for the info. Did that too, but I am still getting that infamous
invalid *redirect_uri* which contains *http* instead of *https*, though I
set up https everywhere - need to look at it with a fresh mind I guess...

Adrian

On Fri, Jan 29, 2016 at 9:07 AM, Doug Szeto <DSzeto at investlab.com> wrote:

> Ran into your issue, found that securing the channel between nginx and
> keycloak did the trick.
> —Doug
>
> From: <keycloak-user-bounces at lists.jboss.org> on behalf of Adrian Matei <
> adrianmatei at gmail.com>
> Date: Friday, January 29, 2016 at 4:12 AM
> To: Marek Posolda <mposolda at redhat.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many
> redirects issue
>
> Hi Marek,
>
> everything works fine with both fb and google logins via nginx as reverse
> proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I
> get either "Invalid parameter:redirect_uri" (the redirect_uri query
> parameter is generated with *http, not https* in the navigation bar)
> before reaching the login form dialog or the redirect loops (fb login) or Error:
> redirect_uri_mismatch with google login if I manage to get passed that...
> In the realm client configuration I've added both
> https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect
> URIs.
>
> Note: the builtin account application can be accessed correctly both with
> fb and google via https too...
>
> I guess the next step would be to try to secure also the channel between
> nginx and keycloak, but that shouldn't be mandatory right?...
>
> Thanks,
> Adrian
>
> On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Does login through Google works if you don't use nginx proxy? Is there
>> anything in the log?
>>
>> Marek
>>
>>
>> On 28/01/16 13:23, Adrian Matei wrote:
>>
>> Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting
>> the same "This webpage has a redirect loop" message when trying to sign in
>> with Google also...
>>
>> On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I suppose you're using Keycloak 1.7? There is known issue related to
>>> this NoClassDefFoundError . You can workaround it by edit file
>>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
>>> and add the line:
>>>
>>> <module name="org.keycloak.keycloak-broker-core"/>
>>>
>>> into dependencies section. Same for module
>>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
>>>
>>> Marek
>>>
>>>
>>>
>>> On 28/01/16 06:47, Adrian Matei wrote:
>>>
>>> Hi everyone,
>>>
>>> I am experimenting "too many redirects"/infinite loops issues in the
>>> browser when I try to connect with social providers. I am also getting
>>> internal server error on Chrome via google account (Caused by:
>>> java.lang.NoClassDefFoundError:
>>> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
>>> configuration, but I did everything "by the book":
>>>
>>> # realm Require SSL:none
>>>
>>> #nginx
>>> http {
>>>         gzip on;
>>>         gzip_proxied any;
>>>         #gzip_proxied no-cache no-store private expired auth;
>>>         gzip_types text/plain text/html text/css application/json
>>> application/x-javascript  application/xml application/xml+rss
>>> text/javascript application/javascript text/x-js;
>>>         #gzip_min_length 1000;
>>>
>>>
>>>         server_tokens off; #hides nginx version and OS running on
>>>         include /etc/nginx/mime.types;
>>>
>>>
>>>         upstream tomcat_server {
>>>                 server localhost:8080;
>>>         }
>>>         upstream keycloak_server {
>>>                 server localhost:8180;
>>>         }
>>>
>>>         server {
>>>                 listen 80;
>>>                 server_name podcastmania.ro;
>>>                 return 301 <https://$host$request_uri>
>>> https://$host$request_uri;
>>>         }
>>>
>>>         server {
>>>
>>>                 listen 443 ssl;
>>>
>>>                 server_name podcastmania.ro
>>> <http://www.podcastmania.ro>www.podcastmania.ro;
>>>
>>>            ssl_certificate /etc/nginx/ssl/nginx.crt;
>>>            ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>          location / {
>>>                 root /opt/tomcat/webapps/ROOT;
>>>                 try_files $uri /maintenance.html @tomcat;
>>>             }
>>>
>>>             location @tomcat {
>>>                 proxy_pass  <http://tomcat_server/>http://tomcat_server;
>>>
>>>                 proxy_set_header Host $host; #to change the "Host"
>>> header set by default to $proxy_host to $host - the originating host request
>>>                 proxy_set_header X-Real-IP          $remote_addr;
>>>                 proxy_set_header X-Forwarded-For
>>>  $proxy_add_x_forwarded_for;
>>>                 proxy_set_header X-Forwarded-Proto  $scheme;
>>>             }
>>>
>>>
>>>             location /auth/ {
>>>                 root
>>> /opt/keycloak/standalone/configuration/themes/keycloak/;
>>>                 try_files $uri @keycloak;
>>>             }
>>>
>>>              location @keycloak {
>>>                 proxy_pass  <http://keycloak_server/>
>>> http://keycloak_server;
>>>
>>>                 proxy_set_header Host               $host;
>>>                 proxy_set_header X-Real-IP          $remote_addr;
>>>                 proxy_set_header X-Forwarded-For
>>>  $proxy_add_x_forwarded_for;
>>>                 proxy_set_header X-Forwarded-Proto  $scheme;
>>>                 proxy_set_header X-Forwarded-Port   443;
>>>             }
>>>
>>>
>>>         }
>>>
>>>
>>> # standalone.xml
>>>         <subsystem xmlns="urn:jboss:domain:undertow:2.0">
>>>             <buffer-cache name="default"/>
>>>             <server name="default-server">
>>>                 <http-listener name="default" socket-binding="http" *redirect-socket="proxy-https"
>>>  proxy-address-forwarding="true"*/>
>>>                 <host name="default-host" alias="localhost">
>>>                     <location name="/" handler="welcome-content"/>
>>>                     <filter-ref name="server-header"/>
>>>                     <filter-ref name="x-powered-by-header"/>
>>>                 </host>
>>>             </server>
>>>
>>>     <socket-binding-group name="standard-sockets"
>>> default-interface="public"
>>> port-offset="${jboss.socket.binding.port-offset:100}">
>>>         <socket-binding name="management-http" interface="management"
>>> port="${jboss.management.http.port:9990}"/>
>>>         <socket-binding name="management-https" interface="management"
>>> port="${jboss.management.https.port:9993}"/>
>>>         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>>         <socket-binding name="http" port="${jboss.http.port:8080}"/>
>>>         <socket-binding name="https" port="${jboss.https.port:8443}"/>
>>>         <socket-binding name="txn-recovery-environment" port="4712"/>
>>>         <socket-binding name="txn-status-manager" port="4713"/>
>>> *        <socket-binding name="proxy-https" port="443"/>*
>>>          <outbound-socket-binding name="mail-smtp">
>>>             <remote-destination host="localhost" port="25"/>
>>>         </outbound-socket-binding>
>>>     </socket-binding-group>
>>>
>>> # app:spring security configuration
>>>
>>> <context:component-scan base-package="org.keycloak.adapters.springsecurity" /><security:authentication-manager alias="authenticationManager">
>>>   <security:authentication-provider ref="keycloakAuthenticationProvider" /></security:authentication-manager><bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
>>>   <constructor-arg value="classpath:keycloak.json" /></bean><bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" /><bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" /><bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" /><bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
>>>   <constructor-arg name="authenticationManager" ref="authenticationManager" /></bean><bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
>>>   <constructor-arg ref="adapterDeploymentContext" /></bean><bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
>>>   <constructor-arg name="logoutSuccessUrl" value="/" />
>>>   <constructor-arg name="handlers">
>>>     <list>
>>>       <ref bean="keycloakLogoutHandler" />
>>>       <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
>>>     </list>
>>>   </constructor-arg>
>>>   <property name="logoutRequestMatcher">
>>>     <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
>>>       <constructor-arg name="pattern" value="/sso/logout**" />
>>>       <constructor-arg name="httpMethod" value="GET" />
>>>     </bean>
>>>   </property></bean><security:http auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint">
>>>   <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
>>>   <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
>>>   <security:intercept-url pattern="/users/registration" access="permitAll"/>
>>>   <security:intercept-url pattern="/users/registration/confirm-email" access="permitAll"/>
>>>   <security:intercept-url pattern="/users/registration/confirmed" access="permitAll"/>
>>>   <security:intercept-url pattern="/users/password-forgotten" access="permitAll"/>
>>>   <security:intercept-url pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
>>>   <security:intercept-url pattern="/users/password-forgotten/confirmed" access="permitAll"/>
>>>   <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
>>>   <security:intercept-url pattern="/**" access="permitAll"/>
>>>   <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /></security:http>
>>>
>>>
>>> Has anyone faced similar issues?
>>>
>>> Thanks,
>>> Adrian
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160130/285a3b7e/attachment-0001.html 


More information about the keycloak-user mailing list