[keycloak-user] HTTP status 400 from Tomcat after successful login

Timo Kockert timo.kockert at codecentric.de
Mon Dec 10 06:35:46 EST 2018


Hello Luis,

thanks for your reply!

I was able to get a step further... I think.

I added "ProxyPreserveHost On" to the VHost configuration. Now
Keycloak redirects me to http://my-domain.tld/app (http without s)
after the login. Something (I haven't figured out wether it's the HTTP
Server or the Tomcat) redirects from HTTP to HTTPS after which the
Tomcat returns 403 and prints the following message to the log:

{"error":"invalid_grant","error_description":"Incorrect redirect_uri"}

I guess the problem is the redirect to HTTP instead of HTTPS? I tried adding

RequestHeader set X-Forwarded-Proto "https"

to the VHost configuration but that didn't help. Any further advice?

Btw, I didn't write the inital VHost configuration,
"ProxyPassReverseCookiePath" was there when I started working on it.
Probably from some template.

Thanks in advance
Timo


Am Mo., 10. Dez. 2018 um 09:42 Uhr schrieb Luis Rodríguez Fernández
<uo67113 at gmail.com>:
>
> Hello Timo,
>
> Perhaps enable tomcat access logging [1] can help you to debug this issue.
> You can compare the request with mod_proxy with the one without.
>
> Out of curiosity: why do you need to set ProxyPassReverseCookiePath / /app/
> ?
>
> Hope it helps,
>
> Luis
>
> [1]
> https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging
>
> El dom., 9 dic. 2018 a las 10:22, Timo Kockert (<timo.kockert at codecentric.de>)
> escribió:
>
> > Hello everyone,
> >
> > I have configured a web application, that is running in Tomcat, to
> > authenticate users with Keycloak. Everything is running fine if I
> > deploy the app to my local Tomcat, even when using the remote Keycloak
> > instance.
> >
> > However, when I deploy the app to another Tomcat running behind an
> > Apache HTTP Server, the following happens:
> >
> > * When I navigate to https://my-domain.tld/app I get redirected to the
> > Keycloak login
> > * After I log in successfully, Keycloak redirects me to
> > <IP>:<PORT>/app of the Tomcat
> > * The Tomcat answers with HTTP status 400
> >
> > My keycloak.json looks like this:
> >
> > {
> >   "realm": "cdb_test",
> >   "auth-server-url": "https://keycloak-server.tld/auth",
> >   "ssl-required": "external",
> >   "resource": "cdb_test",
> >   "public-client": true
> > }
> >
> > The VHost is configured like this:
> >
> > ProxyPass /app http://<IP>:<PORT>/app/
> > ProxyPassReverse /app http://<IP>:<PORT>/app/
> > ProxyPassReverseCookiePath / /app/
> >
> > I turned on debug logging for the Keycloak Tomcat adapter, see attachment.
> >
> > Any advice?
> >
> > Thanks in advance
> > Timo
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

Timo Kockert | Senior Software Engineer

codecentric AG | dock14 | Am Mittelhafen 14 | 48155 Münster | Deutschland
mobil: +49 151 1086 7040
www.codecentric.de | blog.codecentric.de | www.meettheexperts.de |
www.more4fi.de

Sitz der Gesellschaft: Solingen | HRB 25917| Amtsgericht Wuppertal
Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz

Diese E-Mail einschließlich evtl. beigefügter Dateien enthält
vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und löschen Sie diese
E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte
Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die
unbefugte Weitergabe dieser E-Mail ist nicht gestattet.



More information about the keycloak-user mailing list