<div dir="ltr">Good day,<div><br></div><div>I'm working with Keycloak 1.7.0.Final (in it's own Wildfly) behind a HAProxy instance. A REST service is deployed (as .war) on another server (also behind HAProxy) in a JBoss EAP instance, protected using the Keycloak adapter.</div><div><br></div><div>The deployment is protected as follows in standalone.xml of the JBoss instance:</div><div><br></div><div><div> <secure-deployment name="mytest.war"></div><div> <realm>MyRealm</realm></div><div> <resource>my-resource</resource></div><div> <use-resource-role-mappings>true</use-resource-role-mappings></div><div> <enable-basic-auth>true</enable-basic-auth></div><div> <public-client>true</public-client></div><div> <realm-public-key>MIIB...QAB</realm-public-key></div><div> <auth-server-url>/auth</auth-server-url></div><div> <auth-server-url-for-backend-requests><a href="http://proxy:8080/auth">http://proxy:8080/auth</a></auth-server-url-for-backend-requests></div><div> <ssl-required>NONE</ssl-required></div><div> <principal-attribute>preferred_username</principal-attribute></div><div> </secure-deployment></div></div><div><br></div><div>Here is relevant section of mytest.war's web.xml:</div><div><br></div><div><div> <security-constraint></div><div> <web-resource-collection></div><div> <web-resource-name>All Admin</web-resource-name></div><div> <url-pattern>/*</url-pattern></div><div> </web-resource-collection></div><div> <auth-constraint></div><div> <role-name>my-admins</role-name></div><div> </auth-constraint></div><div> <user-data-constraint></div><div> <transport-guarantee>NONE</transport-guarantee></div><div> </user-data-constraint></div><div> </security-constraint></div><div><br></div><div> <login-config></div><div> <auth-method>KEYCLOAK</auth-method></div><div> <realm-name>this is ignored currently</realm-name></div><div> </login-config></div><div> <security-role></div><div> <description>Admin access for admins.</description></div><div> <role-name>my-admins</role-name></div><div> </security-role></div></div><div><br></div><div>Due to the use of the old JBoss EAP 6.1 server, I've had to add the following to mytest.war's jboss-web.xml to support proxying, with proxy headers added by HAProxy:</div><div><br></div><div><div><?xml version="1.0" encoding="UTF-8"?></div><div><jboss-web></div><div> <security-domain>keycloak-web</security-domain></div><div> <context-root>mytest</context-root></div><div> <valve></div><div> <class-name>org.apache.catalina.valves.RemoteIpValve</class-name></div><div> <param></div><div> <param-name>protocolHeader</param-name></div><div> <param-value>x-forwarded-proto</param-value></div><div> </param></div><div> </valve></div><div></jboss-web></div></div><div><br></div><div><div>The hostname "proxy" is resolvable within the cluster behind HAProxy and will result in direct access to the Keycloak instance. From outside the cluster, all the services are mapped to the same HTTP namespace by HAProxy. So an external request to http://[external_haproxy]/auth will be proxied to Keycloak in the cluster. The 'my-resource' Keycloak client has direct access grants enabled and is set to Public access.</div></div><div><br></div><div>In testing, where the entire cluster is launched in Vagrant running on Windows, if I access <a href="http://localhost/mytest/api/.">http://localhost/mytest/api/.</a>.. in a browser, I am shown the Keycloak login and get the REST service result as expected. This tells me that the majority of my configuration above is good.</div><div><br></div><div>However, if I use a client like curl or JMeter to send a similar HTTP request with the Basic authentication header added:</div><div><table>
<tbody><tr>
<td> Authorization:</td>
<td>Basic YWRtaW46YWRtaW4=</td>
</tr>
</tbody></table></div><div><br></div><div>Then the following is observed in the JBoss log from Keycloak adapter:</div><div><br></div><div><div> 2016-01-04 20:03:49,295 DEBUG [org.keycloak.adapters.BasicAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Failed to obtain token: java.net.ConnectException: Connection refused</div></div><div><br></div><div>Upon debugging through the Keycloak adapter code to watch the basic authentication process, I found myself in BasicAuthRequestAuthenticator,getToken() where I find that <b>deployment.getAuthServerBaseUrl()</b> == "<a href="http://localhost/auth">http://localhost/auth</a>" which is not valid on the JBoss EAP system. This tells me that the external hostname (Vagrant host) is being used to build the URI for contacting the internal Keycloak host. In particular, the provided value for <auth-server-url-for-backend-requests> is not being used. Since this Basic Auth code uses this URI to issue a "backend" request, I would have expected the <auth-server-url-for-backend-requests> value to be used.</div><div><br></div><div>So my question is whether I am missing a basic authentication specific configuration step or whether I've encountered a defect in URI handling for basic auth + backend requests. Interestingly, in the attached Eclipse screenshot, the deployment object is aware of the <a href="http://proxy:8080">http://proxy:8080</a> URI backend but it is not being used for authServerBaseUrl.</div><div><br></div><div>Note, the scope of this problem is more than my Vagrant/localhost example. I expect the same problem to manifest in our AWS test environment where external hostnames don't resolve for cluster members identified by internal hostnames only. I'm hoping to find a solution before this hits our test environment.</div><div><br></div><div>Thanks in advance,</div><div>Guy</div><div><br></div></div>