[keycloak-user] Keycloak on Kubernetes - HTTPS required

Pavlov, Yordan yordan.pavlov at sap.com
Thu Jun 21 08:04:23 EDT 2018 

Hi Sebastian and Vitalii,

Thank you very much for the replies!!!

I’ve managed to solve the issue by adding “PROXY_ADDRESS_FORWARDING=true” property, after that I was able to log into the Admin Console.
The next step in my scenario is to secure a web application running on Tomcat server, where I have the Tomcat adapter and the application “keycloak.json”.

After configuring the keycloak client for my application, I’ve experienced several issues:

  *   Invalid redirect_uri
     *   I had to set “confidential-port” property to be “443” in the keycloak.json of my application
     *   Also, for the client configuration in Keycloak, I had to add the http version of my application URI in the “Valid Redirect URIs”
  *   After successful authentication into my application, I got 403
     *   This was really strange as it the user had all required roles and it turn out to be the “ssl-required” property (now is set to “none”)

Finally, everything works great, but I’m not sure if this configuration isn’t compromised somehow:

  *   Keycloak client configuration
     *   Valid Redirect URIs
        *   https://<application-url<https://%3capplication-url>>
        *   http://<application-url<http://%3capplication-url>>
  *   Application keycloak.json
{
  "realm": "master",
  "auth-server-url": "https://<auth-server-url>",
  "ssl-required": "none",
  "resource": "<client-id>",
  "public-client": true,
  "principal-attribute": "preferred_username",
  "confidential-port": "443",
  "use-resource-role-mappings": true
}

@Vitalii, Sebastian, what do you think?

Regards,
Yordan

From: Виталий Ищенко <betalb at gmail.com>
Date: Thursday, 21 June 2018, 14:27
To: Sebastian Laskawiec <slaskawi at redhat.com>
Cc: "Pavlov, Yordan" <yordan.pavlov at sap.com>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak on Kubernetes - HTTPS required

There is one more option, if Ingress injects usual Proxy headers: X-Forwarded-Host && X-Forwarded-Proto, Keycloak docker container can be instructed to read them when determining connection type (http vs https), otherwise, it will detect https by socket type, which is plain, non-encrypted in your case because ssl traffic is terminated on Ingress.

To instruct Keycloak to read those headers -- start docker container with PROXY_ADDRESS_FORWARDING=true env variable set

On Thu, Jun 21, 2018 at 2:19 PM Sebastian Laskawiec <slaskawi at redhat.com<mailto:slaskawi at redhat.com>> wrote:
I'm an expert on Ingress (I usually work with Routes on OCP) but it
probably depends on the Ingress configuration.

If I'm not mistaken, the default Ingress configuration terminates TLS and
sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
unencrypted HTTP request.

I think you have a couple of options how to solve it:
- Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
traffic to the Pod, without termination). A similar configuration to this
one: https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
- Use a Load Balancer Service to access Keycloak (the final result will be
the same as in the previous solution - a Pod will get HTTPS traffic)
- Turn "Require SLL" option in the "Realm Settings". But please remember to
always use properly configured ingress in front of Keycloak. Otherwise you
might compromise it!!!

Thanks,
Sebastian

On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov at sap.com<mailto:yordan.pavlov at sap.com>>
wrote:

> Hi all,
>
> I’m evaluating Keycloak as IAM for one open source project [1], so far,
> I’ve tested it successfully on a minikube (local) Kubernetes cluster and I
> want to run it in on a real cluster.
>
> The real cluster (created by Gardener [2]) is running on AWS and the
> access to the Keycloak is exposed through an Ingress controller [3].
> We’ve also installed “cert-manager” for automated certificates management
> of Let’s Encrypt issued certificates.
>
> So far so good, but when I try to login to the “Admin Console” I get the
> following error:
> “We're sorry... HTTPS required”
>
> In the logs of the pod, there is the following warning:
> “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
> realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
> error=ssl_required”
>
> As far as I understand, the Let’s Encrypt certificated is trusted by the
> browsers and it appears to be trusted by the OpenJDK also [4].
> Then what should be done in order to access the Admin Console?
>
> Last but not least, we are using jboss/keycloak:latest image (I know that
> we should be using some stable version like 4.0.0, but it appears that the
> issue is not related to the image version).
>
> Regards,
> Yordan Pavlov
>
> [1] ProMART: https://github.com/promart-io | https://www.promart.io/
> [2] Gardener: https://github.com/gardener
> [3] Keycloak:
> https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
> [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list