[keycloak-user] redirection error with Keycloak-proxy

Guy Bowdler guybowdler at dorsetnetworks.com
Tue May 24 07:34:34 EDT 2016 

Typical, spent two days faffing on this and as soon as I ask the forum, 
I find it.   I repointed the kc proxy "auth-server-url" direct at 
keycloak and it works fine.  Point it at the nginx proxied version of 
keycloak and it dies.   It authenticates, and the user sessions show in 
the keycloak console, and SSO works, as I can go to another URL and that 
too shows a session but neither page renders when keyclaok is behind 
nginx.

anyone had a similar experience?

On 2016-05-24 11:25, Guy Bowdler wrote:
> It might be this, as we have the keycloak instance running behind
> another nginx proxy:
> 
> https://issues.jboss.org/browse/KEYCLOAK-2054
> 
> If anyone can help confirm this is would be a massive help as the fix
> isn't due out until June 22 and would save unnecessary troubleshooting
> 
> 
> 
> On 2016-05-24 10:48, Guy Bowdler wrote:
>> Hi:)
>> 
>> Has anybody seen this error?
>> 
>> I have  (http://host.name/appname) --> [KeyCloakProxy:80 -->
>> nginx:8080]
>>   -->  [Web apps on different boxes] where [] denotes on same box.
>> Namespace is hostname/appname where nginx location directives proxy 
>> out
>> again to different boxes.
>> 
>> I've previously had this working but when I changed the keystore it 
>> all
>> broke and haven't found the problem yet.  Troubleshooting steps have
>> been to take out the ssl entirely and try different client settings.
>> If
>> I remove the contraints in the proxy config, it proxies ok to the
>> webpages, and it the constraints are in, I log in ok and then the
>> browser goes blank with a URL like this in the address bar:
>> 
>> http://apps.host.name/python?state=0%2F52043b01-976f-464f-8651-ebe295aac2af&code=-_odSdHkDVnID6JhPeKV2QXh_1oub5DDLP2ZLZ6pA_0.ef2bd934-2fd8-48da-a626-106712b687b1
>> 
>> The error stack below is from the console of the keycloak proxy.
>> Refreshing the page, simply returns a different error of "NO STATE
>> COOKIE".
>> 
>> Thanks in advance for any assistance,
>> 
>> kind regards
>> 
>> Guy
>> 
>> 
>> ERROR: failed to turn code into token
>> java.net.ConnectException: Connection refused
>>          at java.net.PlainSocketImpl.socketConnect(Native Method)
>>          at
>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>>          at
>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>>          at
>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>>          at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>          at java.net.Socket.connect(Socket.java:589)
>>          at
>> sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>>          at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)
>>          at
>> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
>>          at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
>>          at
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
>>          at
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
>>          at
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
>>          at
>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
>>          at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
>>          at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>>          at
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>>          at
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>>          at
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>>          at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>>          at
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>          at
>> org.keycloak.adapters.undertow.UndertowAuthenticationMechanism.authenticate(UndertowAuthenticationMechanism.java:56)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>>          at
>> org.keycloak.proxy.ProxyAuthenticationCallHandler.handleRequest(ProxyAuthenticationCallHandler.java:44)
>>          at
>> org.keycloak.proxy.ConstraintMatcherHandler.handleRequest(ConstraintMatcherHandler.java:89)
>>          at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>          at
>> org.keycloak.adapters.undertow.UndertowPreAuthActionsHandler.handleRequest(UndertowPreAuthActionsHandler.java:54)
>>          at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>          at
>> io.undertow.server.session.SessionAttachmentHandler.handleRequest(SessionAttachmentHandler.java:68)
>>          at
>> io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:94)
>>          at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>          at
>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:232)
>>          at
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
>>          at
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
>>          at
>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
>>          at
>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
>>          at
>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>          at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>> 
>> May 24, 2016 11:04:30 AM
>> org.keycloak.adapters.OAuthRequestAuthenticator
>> checkStateCookie
>> WARN: No state cookie
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list