[keycloak-user] HTTP status 400 from Tomcat after successful login

[Dmitry Telegin]

Timo,

To secure a Tomcat webapp that is behind an SSL-terminating reverse proxy, you basically need a checklist of three items:
- make sure that your reverse proxy forwards all the necessary info to the backend, including hostname and protocol;
- in Tomcat, configure proxy (host and "https" scheme) on a connector level;
- reflect the changes in the client config in Keycloak (use https:// and your proxy URL).

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-12-07 at 14:55 +0100, Timo Kockert wrote:
> Hello everyone,
> 
> I have configured a web application, that is running in Tomcat, to
> authenticate users with Keycloak. Everything is running fine if I
> deploy the app to my local Tomcat, even when using the remote Keycloak
> instance.
> 
> However, when I deploy the app to another Tomcat running behind an
> Apache HTTP Server, the following happens:
> 
> > * When I navigate to https://my-domain.tld/app I get redirected to the
> Keycloak login
> * After I log in successfully, Keycloak redirects me to
> <IP>:<PORT>/app of the Tomcat
> * The Tomcat answers with HTTP status 400
> 
> My keycloak.json looks like this:
> 
> {
>   "realm": "cdb_test",
> >   "auth-server-url": "https://keycloak-server.tld/auth",
>   "ssl-required": "external",
>   "resource": "cdb_test",
>   "public-client": true
> }
> 
> The VHost is configured like this:
> 
> ProxyPass /app http://<IP>:<PORT>/app/
> ProxyPassReverse /app http://<IP>:<PORT>/app/
> ProxyPassReverseCookiePath / /app/
> 
> I turned on debug logging for the Keycloak Tomcat adapter, see attachment.
> 
> Any advice?
> 
> Thanks in advance
> Timo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user