[keycloak-user] Fwd: Re: Redirection issue with proxy behind keycloak

Aritz Maeztu amaeztu at tesicnor.com
Tue May 31 16:00:04 EDT 2016


Hello Scott,

I've got the spring security and tomcat keycloak adapters both as a 
project dependency for each service (as I'm running the services in 
Tomcat 8 embedded servers). Basically I want to base my security in 
Spring Security, that's why I chose this adapter over the Spring Boot 
adapter.

As the behaviour states, a redirection is made first to the /sso/login 
endpoint, then other one to the keycloak authorization server. The 
question is, as a redirection is a mere instruction stated from the 
server to the browser, which chances do I have to send the original 
x-forwarded headers to the keycloak authorization server, so that it can 
make the redirection to the url requested at the very beginning (to the 
reverse proxy)?

I could implement a playground scenario for you if you happen to require it.

Many thanks


31/05/2016 20:14(e)an, Scott Rossillo igorleak idatzi zuen:
> Hi Artiz,
>
> So just to be clear, which Keycloak adapter are you using? The Spring 
> Boot Adapter or the Spring Security Adapter?
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>> On May 31, 2016, at 3:13 AM, Aritz Maeztu <amaeztu at tesicnor.com 
>> <mailto:amaeztu at tesicnor.com>> wrote:
>>
>> I've got some Spring Boot application instances with embeded Tomcat 
>> servlet containers. Tomcat has a similar system to Wildfly for 
>> request dumpering, that's what I have enabled for getting the trace 
>> below. In short words that's the behaviour I'm able to see:
>>
>> 1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service (8083 
>> port) : A forward request where X-forwarded headers are included
>>
>> 2. Organization Service (localhost:8083) : Looks for a token and if 
>> it's not available, the keycloak adapter redirects to the /sso/login 
>> of the same service (Here the traceability from the proxy gets losts)
>>
>> 3. localhost:8083/sso/login: Redirects to the keycloak wildfly 
>> server, saving the requested url
>>
>> 4. Keycloak login: The user performs the authentication and the 
>> redirectUri is localhost:8083/sso/login. Later on, the login endpoint 
>> redirects the user to the url requested in point 2, not the first one 
>> from the proxy.
>>
>> I only have this problem when my organization service needs to verify 
>> the token (or a token doesn't exist) using the keycloak adapter. When 
>> the /sso/login endpoint is not requested, everything is working 
>> properly. Hope I've explained it well!
>>
>>
>> 31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
>>> Where is your app deployed? If it's on WildFly you can follow the 
>>> same steps used to configure reverse proxy for Keycloak Server to 
>>> configure WildFly. Check if getRequestURL returns the correct URL in 
>>> your app.
>>>
>>> On 30 May 2016 at 15:08, Aritz Maeztu<amaeztu at tesicnor.com 
>>> <mailto:amaeztu at tesicnor.com>>wrote:
>>>
>>>
>>>
>>>
>>>     -------- Birbidalitako mezua --------
>>>     Gaia: 	Re: [keycloak-user] Redirection issue with proxy behind
>>>     keycloak
>>>     Data: 	Mon, 30 May 2016 13:28:21 +0200
>>>     Nork: 	Aritz Maeztu<amaeztu at tesicnor.com>
>>>     <mailto:amaeztu at tesicnor.com>
>>>     Nori: 	stian at redhat.com <mailto:stian at redhat.com>
>>>     CC: 	Niels Bertram<nielsbne at gmail.com>
>>>     <mailto:nielsbne at gmail.com>,
>>>     keycloak-user<keycloak-user at lists.jboss.org>
>>>     <mailto:keycloak-user at lists.jboss.org>, Scott
>>>     Rossillo<srossillo at smartling.com> <mailto:srossillo at smartling.com>
>>>
>>>
>>>
>>>     I've done all the traceability from the proxy server till the
>>>     login page is displayed:
>>>
>>>     First step, /organization/organizations is requested, so the
>>>     proxy server knows it has to be forwarded to the 8083 port (the
>>>     one for the organization service). That's the first request
>>>     received by my application's Tomcat:
>>>
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 START
>>>     TIME        =30-may-2016 13:01:18
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     requestURI=/organizations
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     authType=null
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     characterEncoding=UTF-8
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     contentLength=-1
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     contentType=null
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     contextPath=
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=accept-language=es-ES,es;q=0.8
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=x-forwarded-host=mies-057:8765
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=x-forwarded-prefix=/organization
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=upgrade-insecure-requests=1
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=accept-encoding=gzip
>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
>>>     Safari/537.36
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=netflix.nfhttpclient.version=1.0
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=x-netflix-httpclientname=organization
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=host=mies-057:8083
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=connection=Keep-Alive
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     locale=es_ES
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 method=GET
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     pathInfo=null
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     protocol=HTTP/1.1
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     queryString=null
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     remoteAddr=192.168.56.1
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     remoteHost=192.168.56.1
>>>     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     remoteUser=null
>>>     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     requestedSessionId=null
>>>     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 scheme=http
>>>     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     serverName=mies-057
>>>     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     serverPort=8083
>>>     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     servletPath=/organizations
>>>     2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     isSecure=false
>>>     2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     ------------------=--------------------------------------------
>>>
>>>     Here x-forwarded-host is mies-057:8765 (the proxy server) and
>>>     x-forwarded-prefix is /organization. So the original request is
>>>     kept in the headers. Well, now my service (8083) tries to check
>>>     for authorization via the /sso/login endpoint from the keycloak
>>>     spring security adapter:
>>>
>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>     o.k.a.s.management.HttpSessionManager : Session created:
>>>     CDCA7AD4439DE94BD0B3B5803DAA0752
>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>     k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login
>>>     URI /sso/login
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     ------------------=--------------------------------------------
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     authType=null
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     contentType=null
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=X-Content-Type-Options=nosniff
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=X-XSS-Protection=1; mode=block
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=Pragma=no-cache
>>>     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=Expires=0
>>>     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=X-Frame-Options=DENY
>>>     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
>>>     Path=/; HttpOnly
>>>     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     header=Location=http://mies-057:8083/sso/login
>>>     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     remoteUser=null
>>>     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 status=302
>>>     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 END
>>>     TIME          =30-may-2016 13:01:18
>>>     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>     ===============================================================
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 START
>>>     TIME        =30-may-2016 13:01:18
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     requestURI=/sso/login
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     authType=null
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     characterEncoding=UTF-8
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     contentLength=-1
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     contentType=null
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     contextPath=
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=host=mies-057:8083
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=connection=keep-alive
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=upgrade-insecure-requests=1
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
>>>     Safari/537.36
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=accept-encoding=gzip, deflate, sdch
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=accept-language=es-ES,es;q=0.8
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     locale=es_ES
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10 method=GET
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     pathInfo=null
>>>     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     protocol=HTTP/1.1
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     queryString=null
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     remoteAddr=192.168.56.1
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     remoteHost=192.168.56.1
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     remoteUser=null
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     scheme=http
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     serverName=mies-057
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     serverPort=8083
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     servletPath=/sso/login
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     isSecure=false
>>>     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>     ------------------=--------------------------------------------
>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.PreAuthActionsHandler :
>>>     adminRequesthttp://mies-057:8083/sso/login
>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>     f.KeycloakAuthenticationProcessingFilter : Request is to process
>>>     authentication
>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>     f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak
>>>     authentication
>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.RequestAuthenticator : --> authenticate()
>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.RequestAuthenticator : try bearer
>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.RequestAuthenticator : try oauth
>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>     o.k.a.s.token.SpringSecurityTokenStore : Checking if
>>>     org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator at d328c2d
>>>     is cached
>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.OAuthRequestAuthenticator : there was no code
>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.OAuthRequestAuthenticator : redirecting to auth server
>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.OAuthRequestAuthenticator : callback
>>>     uri:http://mies-057:8083/sso/login
>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>     f.KeycloakAuthenticationProcessingFilter : Auth outcome:
>>>     NOT_ATTEMPTED
>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>     o.k.adapters.OAuthRequestAuthenticator : Sending redirect to
>>>     login
>>>     page:http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true
>>>
>>>     As it's shown in the logs, the X-forwarded logs are not kept by
>>>     the keycloak adapter (look at the lines
>>>     belowk.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to
>>>     login URI /sso/login). So could it be the proxy server itself
>>>     being properly configured but the keycloak adapter losing the
>>>     original headers while performing the redirection?
>>>
>>>     I've also set up the request dumper in the undertow server as
>>>     Niels suggested, but obviously, X-forwarded headers are not
>>>     reaching the keycloak server..
>>>
>>>     Thanks for your time, again ;-)
>>>
>>>
>>>
>>>     25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>     You need the Host and X-Forwarded-For headers to be included
>>>>     and there's also some config to be done on the Keycloak server
>>>>     (see
>>>>     http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding)
>>>>
>>>>     On 24 May 2016 at 08:46, Aritz Maeztu<amaeztu at tesicnor.com>wrote:
>>>>
>>>>         Hi Niels and Scott. First of all, thank you very much for
>>>>         your help. I'm currently using Zuul (Spring Cloud) as the
>>>>         reverse proxy. All the services are registered in a
>>>>         discovery service called Eureka and then Zuul looks for the
>>>>         service id there and performs de redirection. I read
>>>>         aboutX-Forwarded headers, but I thought it might result in
>>>>         a security issue if not included, not that it could affect
>>>>         the redirection process.
>>>>
>>>>         As Scott says, I suppose the Host and the X-Real-Ip headers
>>>>         are the relevant ones here, so I guess I should instruct
>>>>         Zuul to send them when the service is addressed (however I
>>>>         wonder why they are not already being sent, as Zuul is a
>>>>         proxy service, all in all).
>>>>
>>>>         Here I include a preview of the first redirection made to
>>>>         the keycloak login page, which shows the request headers
>>>>         sent to the service /login endpoint (at port 8081 in
>>>>         localhost):
>>>>
>>>>         https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>>>>
>>>>         24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>>>>         Hi Artitz,
>>>>>
>>>>>         a great way to figure out what is sent from the reverse
>>>>>         proxy to your keycloak server is to use the undertow
>>>>>         request dumper.
>>>>>
>>>>>         From the jboss-cli just add the request dumper filter to
>>>>>         your undertow configuration like this:
>>>>>
>>>>>         $KC_HOME/bin/jbpss-cli.sh -c
>>>>>
>>>>>         /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>>>>>         module=io.undertow.core)
>>>>>
>>>>>         /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>>>>
>>>>>         /:reload
>>>>>
>>>>>         given your apache config looks something like this:
>>>>>
>>>>>         ProxyRequests Off
>>>>>         ProxyPreserveHost On
>>>>>         ProxyVia On
>>>>>
>>>>>         ProxyPass /auth ajp://127.0.0.1:8009/auth
>>>>>         <http://127.0.0.1:8009/auth>
>>>>>         ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>>>>>         <http://127.0.0.1:8009/auth>
>>>>>
>>>>>
>>>>>         you should see something like that (forwared info is
>>>>>         somewhat rubbish in this example as I am running the hosts
>>>>>         on Virtualbox - but you can see this request was put
>>>>>         through 2 proxies from local pc 192.168.33.1 to haproxy on
>>>>>         192.168.33.80 and then apache reverse proxy on
>>>>>         192.168.33.81 ):
>>>>>
>>>>>         ==============================================================
>>>>>         23:47:20,563 INFO  [io.undertow.request.dump] (default
>>>>>         task-14)
>>>>>         ----------------------------REQUEST---------------------------
>>>>>          URI=/auth/welcome-content/favicon.ico
>>>>>          characterEncoding=null
>>>>>          contentLength=-1
>>>>>          contentType=null
>>>>>         header=Accept=*/*
>>>>>         header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>>>>         header=Cache-Control=no-cache
>>>>>         header=Accept-Encoding=gzip, deflate, sdch
>>>>>         header=DNT=1
>>>>>         header=Pragma=no-cache
>>>>>         header=X-Original-To=192.168.33.80
>>>>>         header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>>>         AppleWebKit/537.36 (KHTML, like Gecko)
>>>>>         Chrome/50.0.2661.102 Safari/537.36
>>>>>         header=Authorization=Basic
>>>>>         bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>>>>         header=X-Forwarded-Proto=https
>>>>>         header=X-Forwarded-Port=443
>>>>>         header=X-Forwarded-For=192.168.33.1
>>>>>         header=Referer=https://login.vagrant.dev/auth/
>>>>>         header=Host=login.vagrant.dev
>>>>>         locale=[en_US, en, de]
>>>>>         method=GET
>>>>>         protocol=HTTP/1.1
>>>>>          queryString=
>>>>>         remoteAddr=192.168.33.1:0 <http://192.168.33.1:0/>
>>>>>         remoteHost=192.168.33.1
>>>>>         scheme=https
>>>>>         host=login.vagrant.dev
>>>>>         serverPort=443
>>>>>         --------------------------RESPONSE--------------------------
>>>>>          contentLength=627
>>>>>          contentType=application/octet-stream
>>>>>         header=Cache-Control=max-age=2592000
>>>>>         header=X-Powered-By=Undertow/1
>>>>>         header=Server=WildFly/10
>>>>>
>>>>>
>>>>>         Hope this helps diagnosing your issue. Niels
>>>>>
>>>>>         On Tue, May 24, 2016 at 1:20 AM, Aritz
>>>>>         Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>
>>>>>             I'm using keycloak to securize some Spring based
>>>>>             services (with the keycloak spring security adapter).
>>>>>             The adapter creates a `/login` endpoint in each of the
>>>>>             services which redirects to the keycloak login page
>>>>>             and then redirects back to the service when
>>>>>             authentication is done. I also have a proxy service
>>>>>             which I want to publish in the 80 port and will take
>>>>>             care of routing all the requests to each service. The
>>>>>             proxy performs a plain FORWARD to the service, but the
>>>>>             problem comes when I securize the service with the
>>>>>             keycloak adapter.
>>>>>
>>>>>             When I make a request, the adapter redirects to its
>>>>>             login endpoint and then to the keycloak auth url. When
>>>>>             keycloak sends the redirection, the url shown in the
>>>>>             browser is the one from the service and not the one
>>>>>             from the proxy. Do I have some choice to tell the
>>>>>             adapter I want to redirect back to the first requested
>>>>>             url?
>>>>>
>>>>>
>>>>>             --
>>>>>             Aritz Maeztu Otaño
>>>>>             Departamento Desarrollo de Software 	<Mail
>>>>>             Attachment.gif>
>>>>>             <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>
>>>>>             <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>
>>>>>             Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain
>>>>>             (Navarra)
>>>>>             Telf.: 948 21 40 40
>>>>>             Fax.: 948 21 40 41
>>>>>
>>>>>             Antes de imprimir este e-mail piense bien si es
>>>>>             necesario hacerlo: El medioambiente es cosa de todos.
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             keycloak-user mailing list
>>>>>             keycloak-user at lists.jboss.org
>>>>>             <mailto:keycloak-user at lists.jboss.org>
>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>
>>>>         --
>>>>         Aritz Maeztu Otaño
>>>>         Departamento Desarrollo de Software 	<Mail Attachment.gif>
>>>>         <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>
>>>>         <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>
>>>>         Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>>         Telf.: 948 21 40 40
>>>>         Fax.: 948 21 40 41
>>>>
>>>>         Antes de imprimir este e-mail piense bien si es necesario
>>>>         hacerlo: El medioambiente es cosa de todos.
>>>>
>>>>
>>>>         _______________________________________________
>>>>         keycloak-user mailing list
>>>>         keycloak-user at lists.jboss.org
>>>>         <mailto:keycloak-user at lists.jboss.org>
>>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>>     --
>>>     Aritz Maeztu Otaño
>>>     Departamento Desarrollo de Software 	<Mail Attachment.gif>
>>>     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>     <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>
>>>     Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>     Telf.: 948 21 40 40
>>>     Fax.: 948 21 40 41
>>>
>>>     Antes de imprimir este e-mail piense bien si es necesario
>>>     hacerlo: El medioambiente es cosa de todos.
>>>
>>>
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>> --
>> Aritz Maeztu Otaño
>> Departamento Desarrollo de Software 	<linkdin.gif> 
>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>> <logo.png> <http://www.tesicnor.com/> 	
>>
>> Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>> Telf.: 948 21 40 40
>> Fax.: 948 21 40 41
>>
>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
>> medioambiente es cosa de todos.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



---
El software de antivirus Avast ha analizado este correo electrónico en busca de virus.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/dc9b64a4/attachment-0001.html 


More information about the keycloak-user mailing list