[keycloak-user] redirection error with Keycloak-proxy

Stian Thorgersen sthorger at redhat.com
Wed May 25 02:28:29 EDT 2016 

For Keycloak server to work behind a reverse proxy you need to make sure
the X-Forwarded-For and Host headers are includes, there's also some config
you need to do in Keycloak itself. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding

On 24 May 2016 at 13:34, Guy Bowdler <guybowdler at dorsetnetworks.com> wrote:

> Typical, spent two days faffing on this and as soon as I ask the forum,
> I find it.   I repointed the kc proxy "auth-server-url" direct at
> keycloak and it works fine.  Point it at the nginx proxied version of
> keycloak and it dies.   It authenticates, and the user sessions show in
> the keycloak console, and SSO works, as I can go to another URL and that
> too shows a session but neither page renders when keyclaok is behind
> nginx.
>
> anyone had a similar experience?
>
> On 2016-05-24 11:25, Guy Bowdler wrote:
> > It might be this, as we have the keycloak instance running behind
> > another nginx proxy:
> >
> > https://issues.jboss.org/browse/KEYCLOAK-2054
> >
> > If anyone can help confirm this is would be a massive help as the fix
> > isn't due out until June 22 and would save unnecessary troubleshooting
> >
> >
> >
> > On 2016-05-24 10:48, Guy Bowdler wrote:
> >> Hi:)
> >>
> >> Has anybody seen this error?
> >>
> >> I have  (http://host.name/appname) --> [KeyCloakProxy:80 -->
> >> nginx:8080]
> >>   -->  [Web apps on different boxes] where [] denotes on same box.
> >> Namespace is hostname/appname where nginx location directives proxy
> >> out
> >> again to different boxes.
> >>
> >> I've previously had this working but when I changed the keystore it
> >> all
> >> broke and haven't found the problem yet.  Troubleshooting steps have
> >> been to take out the ssl entirely and try different client settings.
> >> If
> >> I remove the contraints in the proxy config, it proxies ok to the
> >> webpages, and it the constraints are in, I log in ok and then the
> >> browser goes blank with a URL like this in the address bar:
> >>
> >>
> http://apps.host.name/python?state=0%2F52043b01-976f-464f-8651-ebe295aac2af&code=-_odSdHkDVnID6JhPeKV2QXh_1oub5DDLP2ZLZ6pA_0.ef2bd934-2fd8-48da-a626-106712b687b1
> >>
> >> The error stack below is from the console of the keycloak proxy.
> >> Refreshing the page, simply returns a different error of "NO STATE
> >> COOKIE".
> >>
> >> Thanks in advance for any assistance,
> >>
> >> kind regards
> >>
> >> Guy
> >>
> >>
> >> ERROR: failed to turn code into token
> >> java.net.ConnectException: Connection refused
> >>          at java.net.PlainSocketImpl.socketConnect(Native Method)
> >>          at
> >>
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
> >>          at
> >>
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
> >>          at
> >>
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
> >>          at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> >>          at java.net.Socket.connect(Socket.java:589)
> >>          at
> >> sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
> >>          at
> >>
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)
> >>          at
> >>
> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
> >>          at
> >>
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
> >>          at
> >>
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
> >>          at
> >>
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
> >>          at
> >>
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
> >>          at
> >>
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
> >>          at
> >>
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
> >>          at
> >>
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
> >>          at
> >>
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> >>          at
> >>
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> >>          at
> >>
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> >>          at
> >>
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
> >>          at
> >>
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
> >>          at
> >>
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
> >>          at
> >>
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
> >>          at
> >>
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
> >>          at
> >>
> org.keycloak.adapters.undertow.UndertowAuthenticationMechanism.authenticate(UndertowAuthenticationMechanism.java:56)
> >>          at
> >>
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
> >>          at
> >>
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
> >>          at
> >>
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
> >>          at
> >>
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
> >>          at
> >>
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
> >>          at
> >>
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
> >>          at
> >>
> org.keycloak.proxy.ProxyAuthenticationCallHandler.handleRequest(ProxyAuthenticationCallHandler.java:44)
> >>          at
> >>
> org.keycloak.proxy.ConstraintMatcherHandler.handleRequest(ConstraintMatcherHandler.java:89)
> >>          at
> >>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> >>          at
> >>
> org.keycloak.adapters.undertow.UndertowPreAuthActionsHandler.handleRequest(UndertowPreAuthActionsHandler.java:54)
> >>          at
> >>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> >>          at
> >>
> io.undertow.server.session.SessionAttachmentHandler.handleRequest(SessionAttachmentHandler.java:68)
> >>          at
> >>
> io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:94)
> >>          at
> >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> >>          at
> >>
> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:232)
> >>          at
> >>
> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
> >>          at
> >>
> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
> >>          at
> >>
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> >>          at
> >>
> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
> >>          at
> >> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
> >>          at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
> >>
> >> May 24, 2016 11:04:30 AM
> >> org.keycloak.adapters.OAuthRequestAuthenticator
> >> checkStateCookie
> >> WARN: No state cookie
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/e3bb10aa/attachment.html

More information about the keycloak-user mailing list