[keycloak-user] Keycloak admin-panel. Infinite loop.

Stian Thorgersen sthorger at redhat.com
Fri Feb 3 08:54:02 EST 2017


If I remember correctly it was something to do with a duplicated header or
something. The guy figured it out on his own, so I really can't remember.
Sorry.

On 3 February 2017 at 10:04, <keijo.korte at kvak.net> wrote:

> Hi,
>
> Yes the problem is definitely on the proxy setup, but what is the
> problem?
> I am not so familiar with the jboss/wildfly (tomcat is usually my weapon
> of choice). So I am not sure what I am missing.
>
> And yes, if I create ssh tunnel to the KC server I can login and
> everything is working just like I expected.
>
> I tried the search before I posted the question, because I didn't find
> the answer.
>
> If the httpd and KC are on same server everything works. That was my
> previous setup, but now I want to dedicate one server just for reverse
> proxy role.
>
> -Keijo
>
> On 2017-02-03 10:32, Stian Thorgersen wrote:
> > Is everything working fine if you go directly to the Keycloak server?
> > Someone reported a similar issue a few weeks ago and it turned out to
> > be an issue in the proxy setup. I can't remember the details, but
> > maybe you can find it on http://www.keycloak.org/search.html
> >
> > On 2 February 2017 at 18:04, <keijo.korte at kvak.net> wrote:
> >
> >> Hi,
> >>
> >> Setup:
> >> OS: Centos 6.8
> >> Keycloak version, 2.5.1-FINAL
> >> httpd version 2.2.15
> >>
> >> I have configured httpd as a SSL off loading reverse proxy for
> >> Keycloak
> >> server. The proxy and the Keycloak are on different servers.
> >> Basically everything works fine, but I can't log in because I am
> >> been
> >> redirected back to the square one all the time.
> >>
> >> Here is the flow:
> >>
> >> GET https://idp.xxx.net/auth/admin/ [1]
> >>
> >> GET
> >>
> > https://idp.xxx.net/auth/realms/master/protocol/openid-
> connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%
> 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=
> eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-
> ff26-4213-8907-d86febde7b92&response_mode=fragment&
> response_type=code&scope=openid
> >> [2]
> >>
> >> POST
> >>
> > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=
> zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-
> 4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6
> >> [3]
> >>
> >> GET
> >>
> > https://idp.xxx.net/auth/admin/master/console/#state=
> eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_
> UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946
> >> [4]
> >>
> >> GET lots of resources: /config, login-status-iframe.html, /token,
> >> /messages.json and so on
> >>
> >> GET
> >>
> > https://idp.xxx.net/auth/realms/master/protocol/openid-
> connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%
> 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%
> 3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-
> b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&
> response_mode=fragment&response_type=code&scope=openid
> >> [5]
> >>
> >> and the same thing from the start. Forever.
> >>
> >> httpd configuration for SSL:
> >>
> >> *****
> >> <VirtualHost *:443>
> >> ServerName idp.xxx.net [6]
> >> ServerAdmin webmaster at xxx.net
> >> DocumentRoot /var/www/html/
> >> <Directory />
> >> Order deny,allow
> >> Allow from all
> >> Options FollowSymLinks
> >> AllowOverride None
> >> </Directory>
> >> <Proxy *>
> >> Order deny,allow
> >> Allow from all
> >> </Proxy>
> >> ProxyRequests Off
> >> RequestHeader set X-Forwarded-Proto "https"
> >> RequestHeader set X-Forwarded-Port "443"
> >> ProxyPreserveHost on
> >> ProxyPass / http://172.16.22.12:8080/ keepalive=On
> >> ProxyPassReverse / http://172.16.22.12:8080/
> >> + lots of cipher suite setting and so on.
> >> *****
> >>
> >> WildFly configuration:
> >>
> >> *****
> >> <server name="default-server">
> >> <http-listener name="default"
> >> proxy-address-forwarding="true" socket-binding="http"
> >> redirect-socket="proxy-https"/>
> >> <host name="default-host" alias="localhost
> >> idp.xxx.net [6]">
> >> <location name="/" handler="welcome-content"/>
> >> <filter-ref name="server-header"/>
> >> <filter-ref name="x-powered-by-header"/>
> >> </host>
> >> </server>
> >>
> >> ....
> >>
> >> <socket-binding-group name="standard-sockets"
> >> default-interface="any"
> >> port-offset="${jboss.socket.binding.port-offset:0}">
> >> <socket-binding name="management-http"
> >> interface="management"
> >> port="${jboss.management.http.port:9990}"/>
> >> <socket-binding name="management-https"
> >> interface="management"
> >> port="${jboss.management.https.port:9993}"/>
> >> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
> >> <socket-binding name="http"
> >> port="${jboss.http.port:8080}"/>
> >> <socket-binding name="proxy-https" port="443"/>
> >> <socket-binding name="https"
> >> port="${jboss.https.port:8443}"/>
> >> <socket-binding name="txn-recovery-environment"
> >> port="4712"/>
> >> <socket-binding name="txn-status-manager" port="4713"/>
> >> <outbound-socket-binding name="mail-smtp">
> >> <remote-destination host="localhost" port="25"/>
> >> </outbound-socket-binding>
> >> </socket-binding-group>
> >>
> >> *****
> >>
> >> Does someone has some kind of clue why I am been redirected?
> >> First I think that this was some kind of http/https redirect
> >> problem,
> >> but when I enabled requestdumper @ wildfly I can see that everything
> >> is
> >> HTTPS.
> >>
> >> *****
> >>
> >> ----------------------------REQUEST---------------------------
> >> URI=/
> >> characterEncoding=null
> >> contentLength=-1
> >> contentType=null
> >>
> >>
> > header=Accept=text/html,application/xhtml+xml,
> application/xml;q=0.9,*/*;q=0.8
> >> header=Accept-Language=en-US,en;q=0.5
> >> header=Accept-Encoding=gzip, deflate, br
> >> header=X-Forwarded-Server=idp.xxx.net [6]
> >> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS
> >> X
> >> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0
> >> header=Connection=Keep-Alive
> >> header=X-Forwarded-Proto=https
> >> header=X-Forwarded-Port=443
> >> header=X-Forwarded-For=88.12.13.14
> >> header=Upgrade-Insecure-Requests=1
> >> header=Host=idp.xxx.net [6]
> >> header=X-Forwarded-Host=idp.xxx.net [6]
> >> locale=[en_US, en]
> >> method=GET
> >> protocol=HTTP/1.1
> >> queryString=
> >> remoteAddr=88.12.13.14:0 [7]
> >> remoteHost=88.12.13.14
> >> scheme=https
> >> host=idp.xxx.net [6]
> >> serverPort=443
> >> *****
> >>
> >> -Keijo
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user [8]
> >
> >
> >
> > Links:
> > ------
> > [1] https://idp.xxx.net/auth/admin/
> > [2]
> > https://idp.xxx.net/auth/realms/master/protocol/openid-
> connect/auth?client_id=security-admin-console&amp;
> redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%
> 2Fmaster%2Fconsole%2F&amp;state=eeb29809-a4aa-458b-8530-
> 645729ce42e5&amp;nonce=fe92d57a-ff26-4213-8907-d86febde7b92&amp;response_
> mode=fragment&amp;response_type=code&amp;scope=openid
> > [3]
> > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=
> zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-
> 4dff-8f64-ac9bf461f946&amp;execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6
> > [4]
> > https://idp.xxx.net/auth/admin/master/console/#state=
> eeb29809-a4aa-458b-8530-645729ce42e5&amp;code=6dHrd5I_USezn0sz4gIS_
> UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946
> > [5]
> > https://idp.xxx.net/auth/realms/master/protocol/openid-
> connect/auth?client_id=security-admin-console&amp;
> redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%
> 2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&
> amp;state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&amp;nonce=
> 4284a896-6694-4af8-9c91-71e4050455a2&amp;response_
> mode=fragment&amp;response_type=code&amp;scope=openid
> > [6] http://idp.xxx.net
> > [7] http://88.12.13.14:0
> > [8] https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list