[keycloak-user] Severe bug in KC adapter - returns blank 200 when SSL is not used with external setting

cen imbacen at gmail.com
Wed May 31 06:03:44 EDT 2017 

I think you are on to something.

I added a ForwardedRequestCustomizer to jetty config and now 
HttpServletRequest correctly recognises the scheme as https.


2017-05-31 11:55:20 DEBUG PreAuthActionsHandler:78 - adminRequest 
https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5

2017-05-31 11:55:20 DEBUG RequestAuthenticator:238 - User 
'4004dee5-6df2-4a26-89d5-6d68c1715737' invoking 
'https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5' 
on client 'my-api'
2017-05-31 11:55:20 DEBUG RequestAuthenticator:76 - Bearer AUTHENTICATED

2017-05-31 11:55:20 DEBUG AuthenticatedActionsHandler:53 - 
AuthenticatedActionsValve.invoke 
https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5

Still need to test on the main server but I think this should solve it. 
This leaves the adapter returning HTTP 200 which is probably a bug.


Thanks for the tip,
cen

Stian Thorgersen je 31. 05. 2017 ob 08:28 napisal:
> The problem is probably down to 
> HttpServletRequest.html#getRequestURL() not returning the correct URL 
> for the application itself. It looks like you've configured this 
> correct on the Keycloak server side, but you also need to configure 
> Jetty (I pressume?) to do the same when it's behind a reverse proxy. 
> I've got no idea how you'd do that in Jetty, but I'm sure Google will 
> reveal the answer to you.
>
> On 30 May 2017 at 17:37, cen <imbacen at gmail.com 
> <mailto:imbacen at gmail.com>> wrote:
>
>     Hello
>
>
>     I just managed to replicate this:
>     http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
>     <http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html>
>
>     The unfortunate soul did not get a single reply in 2015, hopefully I
>     have better luck. I will try to provide as much info as reuested
>     just to
>     get to the bottom of this.
>
>
>     Setup:
>
>     - KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS,
>     startup
>     config cli:
>
>     embed-server --std-out=echo
>     batch
>     /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
>     /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
>     /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
>     run-batch
>     stop-embedded-server
>
>     - KC adapter jetty 9.3
>
>     - keycloak.json configured via env vars
>
>     - kc and api running in seperate docker containers on same server
>
>     {
>        "realm": "${env.KC_REALM}",
>        "auth-server-url": "${env.KC_BASE_URL}",
>        "ssl-required": "${env.KC_SSL_REQUIRED}",
>        "resource": "${env.KC_RESOURCE}",
>        "public-client": true
>     }
>
>     Docker ENV form my API service:
>
>     KC_BASE_URL=https://mykeycloak.domain/auth
>     <https://mykeycloak.domain/auth>
>     KC_RESOURCE=myapp-api
>     KC_REALM=myrealm
>     KC_SSL_REQUIRED=external
>
>     When I call a protected API this is logged by adapter:
>
>     api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 -
>     adminRequest
>     http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
>     <http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5>
>     api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is
>     required to authenticate. Remote address <server ip> is secure: false,
>     SSL required for: EXTERNAL .
>
>
>     Why does it try to connect via IP and not over https? I clearly
>     specified KC_BASE_URL as HTTPS. And why is REST call logged as
>     http even
>     tho I call it via https? I also parsed the access token and issuer is
>     from https, no trace of any IPs or http anywhere.
>
>     And now the worst thing: when this WARN happens, adapter returns blank
>     200! You'd expect at least internal server error or something
>     along the
>     lines. . I lost 9 hours today blaming everything from nginx to my REST
>     API just to finally come down to this.
>
>
>     Setting SSL config to none in admin panel and in adapter env makes the
>     whole thing work. But this is clearly not the solution.
>
>
>     Hopefully some expert can shed some light on this.
>
>
>     Best regards, cen
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>

More information about the keycloak-user mailing list