[keycloak-user] Keycloak admin-panel. Infinite loop.

keijo.korte at kvak.net keijo.korte at kvak.net
Thu Feb 2 12:04:31 EST 2017 

Hi,

Setup:
OS: Centos 6.8
Keycloak version, 2.5.1-FINAL
httpd version 2.2.15

I have configured httpd as a SSL off loading reverse proxy for Keycloak 
server. The proxy and the Keycloak are on different servers.
Basically everything works fine, but I can't log in because I am been 
redirected back to the square one all the time.

Here is the flow:

GET https://idp.xxx.net/auth/admin/

GET 
https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_mode=fragment&response_type=code&scope=openid

POST 
https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6

GET 
https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946

GET lots of resources: /config, login-status-iframe.html, /token, 
/messages.json and so on

GET 
https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&response_mode=fragment&response_type=code&scope=openid

and the same thing from the start. Forever.

httpd configuration for SSL:

*****
<VirtualHost *:443>
         ServerName idp.xxx.net
         ServerAdmin webmaster at xxx.net
         DocumentRoot /var/www/html/
         <Directory />
                 Order deny,allow
                 Allow from all
                 Options FollowSymLinks
                 AllowOverride None
         </Directory>
         <Proxy *>
           Order deny,allow
           Allow from all
         </Proxy>
         ProxyRequests Off
         RequestHeader set X-Forwarded-Proto "https"
         RequestHeader set X-Forwarded-Port "443"
         ProxyPreserveHost on
         ProxyPass / http://172.16.22.12:8080/ keepalive=On
         ProxyPassReverse / http://172.16.22.12:8080/
+ lots of cipher suite setting and so on.
*****

WildFly configuration:

*****
             <server name="default-server">
                 <http-listener name="default" 
proxy-address-forwarding="true" socket-binding="http" 
redirect-socket="proxy-https"/>
                 <host name="default-host" alias="localhost idp.xxx.net">
                     <location name="/" handler="welcome-content"/>
                     <filter-ref name="server-header"/>
                     <filter-ref name="x-powered-by-header"/>
                 </host>
             </server>

....

     <socket-binding-group name="standard-sockets" 
default-interface="any" 
port-offset="${jboss.socket.binding.port-offset:0}">
         <socket-binding name="management-http" interface="management" 
port="${jboss.management.http.port:9990}"/>
         <socket-binding name="management-https" interface="management" 
port="${jboss.management.https.port:9993}"/>
         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
         <socket-binding name="http" port="${jboss.http.port:8080}"/>
         <socket-binding name="proxy-https" port="443"/>
         <socket-binding name="https" port="${jboss.https.port:8443}"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">
             <remote-destination host="localhost" port="25"/>
         </outbound-socket-binding>
     </socket-binding-group>

*****

Does someone has some kind of clue why I am been redirected?
First I think that this was some kind of http/https redirect problem, 
but when I enabled requestdumper @ wildfly I can see that everything is 
HTTPS.

*****

----------------------------REQUEST---------------------------
                URI=/
  characterEncoding=null
      contentLength=-1
        contentType=null
             
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
             header=Accept-Language=en-US,en;q=0.5
             header=Accept-Encoding=gzip, deflate, br
             header=X-Forwarded-Server=idp.xxx.net
             header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 
10.11; rv:51.0) Gecko/20100101 Firefox/51.0
             header=Connection=Keep-Alive
             header=X-Forwarded-Proto=https
             header=X-Forwarded-Port=443
             header=X-Forwarded-For=88.12.13.14
             header=Upgrade-Insecure-Requests=1
             header=Host=idp.xxx.net
             header=X-Forwarded-Host=idp.xxx.net
             locale=[en_US, en]
             method=GET
           protocol=HTTP/1.1
        queryString=
         remoteAddr=88.12.13.14:0
         remoteHost=88.12.13.14
             scheme=https
               host=idp.xxx.net
         serverPort=443
*****

-Keijo

More information about the keycloak-user mailing list