[keycloak-user] Keycloak gatekeeper issue

Bruno Oliveira bruno at abstractj.org
Fri Mar 8 05:34:06 EST 2019 

Yeah, but we need to think about all the possibilities. Another thing I
noticed into your configuration is the fact that your listen address,
diverges from your redirect url.

I'd suggest to isolate the problem by first trying your setup locally
to see if it works, and later move to VMs.

Like Sebi, at first glance I'd suspect about the time sync of these VMs.
But you already mentioned that's not the case.

Could you please describe better your scenario? What is running in each
VM for example? How you configured your confidential client?


On 2019-03-08, Ronald Demneri wrote:
> Hello Bruno,
> 
> From my first email:
> > I have configured the gatekeeper as a confidential client in Keycloak, 
> > and have added the redirect_uri http://gatekeeper:80/oauth/callback
> 
> Which of course I got from the documentation here https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usage-and-configuration
> 
> Thanks in advance,
> Ronald
> 
> 
> -----Original Message-----
> From: Bruno Oliveira <bruno at abstractj.org> 
> Sent: 08.Mar.2019 12:52 AM
> To: Ronald Demneri <ronald.demneri at amdtia.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak gatekeeper issue
> 
> Hi Ronald, one of the possible reasons for getting this message is the way how you configured the redirect URL on Keycloak server.
> 
> Maybe that's the case?
> 
> On 2019-02-15, Ronald Demneri wrote:
> > Hi all,
> > 
> > I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> > 
> > ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> > 
> > The config file is as follows:
> > 
> > discovery-url: https://keycloak/auth/realms/master
> > client-id: gatekeeper
> > client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> > listen: 10.253.6.41:80
> > enable-refresh-tokens: true
> > enable-logging: true
> > enable-json-logging: true
> > enable-login-handler: true
> > enable-token-header: true
> > enable-metrics: true
> > enable-default-deny: false
> > redirection-url: http://gatekeeper:80
> > //redirection-url: http://10.253.6.41:3000
> > encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> > secure-cookie: false
> > upstream-url: http://127.0.0.1:80
> > resources:
> > - uri: /user/test.php
> > - uri: /admin/*.php
> >   roles:
> >   - admin
> > 
> > In the logs I receive the following upon a successful login:
> > 
> > {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
> > /middleware.go:108","msg":"no session found in request, redirecting 
> > for authorization","error":"authentication session not found"} 
> > {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
> > middleware.go:90","msg":"client 
> > request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
> > 53.6.24:60575","method":"GET","path":"/user/test.php"}
> > {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
> > /handlers.go:88","msg":"incoming authorization request from client 
> > address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
> > ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
> > p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
> > openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
> > nt_ip":"10.253.6.24:60575"} 
> > {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
> > iddleware.go:90","msg":"client 
> > request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> > 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> > {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
> > /handlers.go:152","msg":"unable to verify the id token","error":"the 
> > access token has expired"} 
> > {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
> > iddleware.go:90","msg":"client 
> > request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
> > 3.6.24:60575","method":"GET","path":"/oauth/callback"}
> > 
> > And of course, I am not redirected back to the requested URL.
> > 
> > I have configured the gatekeeper as a confidential client in Keycloak, 
> > and have added the redirect_uri http://gatekeeper:80/oauth/callback
> > 
> > Any hints?
> > 
> > Thanks in advance,
> > Ronald
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> 
> abstractj

-- 

abstractj

More information about the keycloak-user mailing list