[keycloak-user] HTTP status 400 from Tomcat after successful login

Fri Dec 7 08:55:45 EST 2018

Hello everyone,

I have configured a web application, that is running in Tomcat, to
authenticate users with Keycloak. Everything is running fine if I
deploy the app to my local Tomcat, even when using the remote Keycloak
instance.

However, when I deploy the app to another Tomcat running behind an
Apache HTTP Server, the following happens:

* When I navigate to https://my-domain.tld/app I get redirected to the
Keycloak login
* After I log in successfully, Keycloak redirects me to
<IP>:<PORT>/app of the Tomcat
* The Tomcat answers with HTTP status 400

My keycloak.json looks like this:

{
  "realm": "cdb_test",
  "auth-server-url": "https://keycloak-server.tld/auth",
  "ssl-required": "external",
  "resource": "cdb_test",
  "public-client": true
}

The VHost is configured like this:

ProxyPass /app http://<IP>:<PORT>/app/
ProxyPassReverse /app http://<IP>:<PORT>/app/
ProxyPassReverseCookiePath / /app/

I turned on debug logging for the Keycloak Tomcat adapter, see attachment.

Any advice?

Thanks in advance
Timo
-------------- next part --------------
2018-12-07 13:49:30,542 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] adminRequest http://10.255.192.36:8380/cdb_test/
2018-12-07 13:49:30,549 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] there was no code
2018-12-07 13:49:30,549 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] redirecting to auth server
2018-12-07 13:49:30,550 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] callback uri: http://10.255.192.36:8380/cdb_test/
2018-12-07 13:49:30,558 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] Sending redirect to login page: https://keycloak-server.tld/auth/realms/cdb_test/protocol/openid-connect/auth?response_type=code&client_id=cdb_test&redirect_uri=http%3A%2F%2F10.255.192.36%3A8380%2Fcdb_test%2F&state=323a2382-95f7-4f38-817f-f16e5c665263&login=true&scope=openid
2018-12-07 13:49:40,764 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] adminRequest http://10.255.192.36:8380/cdb_test/?state=323a2382-95f7-4f38-817f-f16e5c665263&session_state=4ab2b9de-0873-4bda-b399-401408ff8765&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..iFkVW6NKojXqpqSdYH2CHg.nzoW--PKidBu1mim1o9U4XyZYIsEzwyjXmec-bUw69Hd-Qzu5lrx5tFnWJaZhuWhcK1ALjT3BUB-u_SgMIWenDKio3CISzWoiRT5p9lmcKicpue-YZzKmB6ochIMypR2F6JL6cdmnmwrN1h9ObvciyjJzXmGvl-yHDrnxe19Tdm5lRZvjUHAJrwVW3T4LVTqcK8JRNLu_AZgMh9updEdA1N8dwihPm6Xg67GLCutaeMe0dCBBhgktV-dLRf7xsvw.ZYlyaCIMhz4YSufSBLBW_w
2018-12-07 13:49:40,765 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] there was a code, resolving
2018-12-07 13:49:40,766 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] checking state cookie for after code
2018-12-07 13:49:40,766 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] No state cookie