<div dir="ltr">Well in lieu of all the fancy NGINX configuration I found it was simply putting KEYCLOAK to accept NON-SSL connections internally because the connection from NGINX to KEYCLOAK itself is over HTTP. We were able to remove all the special headers instructions in NGINX.<div><br></div><div>Thanks for you help through it, sometimes walking away for lunch is the best idea ;-)</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 14, 2016 at 12:28 PM Christopher Wallace <<a href="mailto:cjwallac@gmail.com">cjwallac@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Again Marko Thanks for the information! <div><br></div><div>We did already configure our standalone server like this. What I did find is that we updated the .JS adapter script and enable CORS <a href="http://serverfault.com/questions/162429/how-do-i-add-access-control-allow-origin-in-nginx" target="_blank">http://serverfault.com/questions/162429/how-do-i-add-access-control-allow-origin-in-nginx</a> Now we are getting to the TOKEN step in the life cycle </div><div><br></div><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Request URL:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="https://sso2.company.com/auth/realms/master/protocol/openid-connect/token" target="_blank">https://sso2.company.com/auth/realms/master/protocol/openid-connect/token</a></div></li></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Request Method:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">POST</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Status Code:</div><label style="min-width:0px;min-height:0px;margin-right:3px"><div style="min-width:0px;min-height:0px;width:10px;min-height:10px;margin-right:2px;display:inline-block;background-image:url("");background-position:-224px -96px"></div></label><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">400 Bad Request</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Remote Address:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://99.99.99.99:443" target="_blank">99.99.99.99:443</a></div></li></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"></ol><li style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;font-weight:bold;color:rgb(97,97,97);min-height:20px;border-top-style:solid;border-top-width:1px;border-top-color:rgb(224,224,224);display:flex">Response Headers<span style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view source</span></li><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Connection:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">keep-alive</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Content-Type:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">application/json</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Date:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Thu, 14 Jan 2016 17:10:45 GMT</div></li></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Server:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">nginx/1.4.6 (Ubuntu)</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Transfer-Encoding:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">chunked</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">X-Powered-By:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Undertow/1</div></li></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"></ol><li style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;font-weight:bold;color:rgb(97,97,97);min-height:20px;border-top-style:solid;border-top-width:1px;border-top-color:rgb(224,224,224);display:flex">Request Headers<span style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view source</span></li><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Accept:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">*/*</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Accept-Encoding:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">gzip, deflate</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Accept-Language:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">en-US,en;q=0.8</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Authorization:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Basic bXByLXBsYXRmb3JtOmU1MGYxO</div></li></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Connection:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">keep-alive</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Content-Length:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">202</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Content-type:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">application/x-www-form-urlencoded</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Cookie:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzOWIxMzg3OS1mYjY5LTQ2MTAtYTdlZS1mZjA2ZjgyOTI4MzUiLCJleHAiOjE0NTI4Mjc0NDcsIm5iZiI6MCwiaWF0IjoxNDUyNzkxNDQ3LCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiYjkwMTViMGItYTUyNC00ZDVkLWJiYjMtMDI2OTk3NjY0NjM1IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.nCUDrU2Q9DQM5c2xcxLoW1pqVJNYcc-ZCUWe6HTlBVh1rwwk0V1q15Mbq0HzWcEkDWqatUTTQ0PEysH18hsOzuJdqRaaplBURwzW4S</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">DNT:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">1</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Host:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://sso2.company.com" target="_blank">sso2.company.com</a></div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Origin: </div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://portal.app.company.local.medicalpayreview.com" target="_blank">http://portal.app.company.local.medicalpayreview.com</a></div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">Referer:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://portal.app.company.local.medicalpayreview.com/App/" target="_blank">http://portal.app.company.local.medicalpayreview.com/App/</a></div></li></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">User-Agent:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36</div></li></ol></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><li style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;font-weight:bold;color:rgb(97,97,97);min-height:20px;border-top-style:solid;border-top-width:1px;border-top-color:rgb(224,224,224);display:flex">Form Data<span style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view source</span><span style="min-width:0px;min-height:0px;display:inline;margin-left:30px;font-weight:normal;color:rgb(115,115,115)">view URL encoded</span></li></ol></div></div><div dir="ltr"><div><ol style="min-width:0px;min-height:0px;padding:0px 0px 0px 4px;margin:0px;list-style-type:none;overflow-y:auto;color:rgb(48,57,66);line-height:normal"><ol style="font-family:'Lucida Grande',sans-serif;font-size:12px;min-width:0px;min-height:0px;list-style-type:none;padding-left:12px;padding-bottom:5px"><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">code:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">Mk9BGw2vGHNBtO-caT1Z1MEpwixV4Ke5yi5YFEubDes.d82b1938-d6a6-4c3c-99eb-0a0d1c2636be</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">grant_type:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px">authorization_code</div></li><li style="min-width:0px;min-height:0px;margin-top:1px;text-overflow:ellipsis;white-space:nowrap;overflow:hidden;margin-left:10px"><div style="min-width:0px;min-height:0px;color:rgb(84,84,84);display:inline-block;margin-right:0.5em;font-weight:bold;vertical-align:top;white-space:pre-wrap">redirect_uri:</div><div style="min-width:0px;min-height:0px;font-family:Menlo,monospace;white-space:pre-wrap;font-size:11px!important;display:inline;margin-right:1em;word-break:break-all;margin-top:1px"><a href="http://portal.app.local.medicalpayreview.com/App/" target="_blank">http://portal.app.local.medicalpayreview.com/App/</a></div></li></ol></ol><div><font color="#303942" face="Menlo, monospace"><span style="font-size:11px;line-height:normal;white-space:pre-wrap"><br></span></font></div><div><font color="#303942" face="Menlo, monospace"><span style="font-size:11px;line-height:normal;white-space:pre-wrap">We find the following WARNING in the KEYCLOAK logs</span></font></div></div><div>
<p><span>17:10:48,891 WARN [org.keycloak.events] (default task-13) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=platform, userId=null, ipAddress=72.77.99.99, error=invalid_client_credentials, grant_type=authorization_code</span></p><p><span>And and error the browser console:</span></p><p><span>XMLHttpRequest cannot load <a href="https://sso2.medicalpayreview.com/auth/realms/master/protocol/openid-connect/token" target="_blank">https://sso2.medicalpayreview.com/auth/realms/master/protocol/openid-connect/token</a>. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://<span style="color:rgb(48,57,66);font-family:Menlo,monospace;font-size:11px;line-height:normal;white-space:pre-wrap">portal.</span><span style="color:rgb(48,57,66);font-family:Menlo,monospace;font-size:11px;line-height:normal;white-space:pre-wrap">app.company</span>.<a href="http://local.medicalpayreview.com" target="_blank">local.medicalpayreview.com</a>' is therefore not allowed access. The response had HTTP status code 400.<br></span></p><p>We appreciate everyones input on getting over this challenge.</p><p><br></p></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 14, 2016 at 10:06 AM Marko Strukelj <<a href="mailto:mstrukel@redhat.com" target="_blank">mstrukel@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Maybe take a look at advice in this thread:<br>
<a href="http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html</a><br>
<br>
On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace <<a href="mailto:cjwallac@gmail.com" target="_blank">cjwallac@gmail.com</a>> wrote:<br>
> Marko, Thanks for your feedback!<br>
><br>
> We have successfully pass that problem and are able to login to KEYCLOAK<br>
> behind NGINX using HTTPS Proxy. Our challenge now is when our applications<br>
> attempt to access we get the following error:<br>
><br>
> Request URL:<br>
> <a href="https://sso2.company.com/auth/realms/master/tokens/access/codes" rel="noreferrer" target="_blank">https://sso2.company.com/auth/realms/master/tokens/access/codes</a><br>
> Request Method:<br>
> POST<br>
> Status Code:<br>
> 400 Bad Request<br>
> Remote Address:<br>
> <a href="http://99.99.99.99:443" rel="noreferrer" target="_blank">99.99.99.99:443</a><br>
><br>
> Response Headersview source<br>
><br>
> Connection:<br>
> keep-alive<br>
> Content-Type:<br>
> application/json<br>
> Date:<br>
> Thu, 14 Jan 2016 14:35:52 GMT<br>
> Server:<br>
> nginx/1.4.6 (Ubuntu)<br>
> Transfer-Encoding:<br>
> chunked<br>
> X-Powered-By:<br>
> Undertow/1<br>
><br>
> Request Headersview source<br>
><br>
> Accept:<br>
> */*<br>
> Accept-Encoding:<br>
> gzip, deflate<br>
> Accept-Language:<br>
> en-US,en;q=0.8<br>
> Authorization:<br>
> Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ<br>
> Connection:<br>
> keep-alive<br>
> Content-Length:<br>
> 172<br>
> Content-type:<br>
> application/x-www-form-urlencoded<br>
> Cookie:<br>
> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k<br>
> DNT:<br>
> 1<br>
> Host:<br>
> <a href="http://sso2.company.com" rel="noreferrer" target="_blank">sso2.company.com</a><br>
> Origin:<br>
> <a href="http://app.local.company.com" rel="noreferrer" target="_blank">http://app.local.company.com</a><br>
> Referer:<br>
> <a href="http://app.local.company.com/App/" rel="noreferrer" target="_blank">http://app.local.company.com/App/</a><br>
> User-Agent:<br>
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML,<br>
> like Gecko) Chrome/47.0.2526.106 Safari/537.36<br>
><br>
> Form Dataview sourceview URL encoded<br>
><br>
> code:<br>
> Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2<br>
> redirect_uri:<br>
> <a href="http://app.local.company.com/App/" rel="noreferrer" target="_blank">http://app.local.company.com/App/</a><br>
><br>
> Please do note that this same application is able KEYCLOAK using basically<br>
> the same configuration without NGINX in the MIX. Have any thoughts was to<br>
> what we should look to configure differently with NGIX in the mix?<br>
><br>
> On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj <<a href="mailto:mstrukel@redhat.com" target="_blank">mstrukel@redhat.com</a>> wrote:<br>
>><br>
>> The error 'org.apache.http.conn.HttpHostConnectException: Connection to<br>
>> <a href="https://sso2.domain.com" rel="noreferrer" target="_blank">https://sso2.domain.com</a> refused' means that either there is a server side<br>
>> problem - your Nginx isn't started and listening on port 443, a firewall<br>
>> preventing incoming connections - or there is a client side problem - a DNS<br>
>> issue improperly resolving <a href="http://sso2.domain.com" rel="noreferrer" target="_blank">sso2.domain.com</a> into IP on the host where Tomcat<br>
>> is running.<br>
>><br>
>> At this point no SSL handshaking was attempted yet.<br>
>><br>
>> If you try 'curl <a href="https://sso2.domain.com" rel="noreferrer" target="_blank">https://sso2.domain.com</a>' or 'telnet <a href="http://sso2.domain.com" rel="noreferrer" target="_blank">sso2.domain.com</a> 443'<br>
>> from the server running your Tomcat you'll see the same issue. Once that<br>
>> starts to work, only then will any SSL / proxying related configuration<br>
>> issues start to manifest themselves.<br>
>><br>
>> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace <<a href="mailto:cjwallac@gmail.com" target="_blank">cjwallac@gmail.com</a>><br>
>> wrote:<br>
>>><br>
>>> Community, I have spent a decent amount of time attempting to get<br>
>>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It<br>
>>> does work without the proxy, but I need the proxy to handle certificates. I<br>
>>> think I am pretty close to having it working, but somethings seems to be<br>
>>> missing... I have done the following. I appreciate any insight you may have<br>
>>> as I think I have exhausted other resources.<br>
>>><br>
>>> 1. Configure a server in NGINX<br>
>>><br>
>>> server {<br>
>>><br>
>>> listen 443;<br>
>>><br>
>>><br>
>>> ssl on;<br>
>>><br>
>>> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt;<br>
>>><br>
>>> ssl_certificate_key /etc/ssl/certs/*.domain.key;<br>
>>><br>
>>><br>
>>> server_name sso2. <a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a>;<br>
>>><br>
>>> access_log /var/log/nginx/nginx.sso.access.log;<br>
>>><br>
>>> error_log /var/log/nginx/nginx.sso.error.log;<br>
>>><br>
>>> location / {<br>
>>><br>
>>> proxy_set_header Host $host;<br>
>>><br>
>>> proxy_set_header X-Real-IP $remote_addr;<br>
>>><br>
>>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>
>>><br>
>>> proxy_set_header X-Forwarded-Proto $scheme;<br>
>>><br>
>>> proxy_set_header X-Forwarded-Port 443;<br>
>>><br>
>>> proxy_pass <a href="http://internalip:8080" rel="noreferrer" target="_blank">http://internalip:8080</a>;<br>
>>><br>
>>> }<br>
>>><br>
>>> }<br>
>>><br>
>>> 2. Enable SSL on a Reverse Proxy<br>
>>><br>
>>> First add proxy-address-forwarding and redirect-socket to the<br>
>>> http-listener element:<br>
>>><br>
>>> <subsystem xmlns="urn:jboss:domain:undertow:1.1"><br>
>>> ...<br>
>>> <http-listener name="default" socket-binding="http"<br>
>>> proxy-address-forwarding="true" redirect-socket="proxy-https"/><br>
>>> ...<br>
>>> </subsystem><br>
>>><br>
>>> Then add a new socket-binding element to the socket-binding-group<br>
>>> element:<br>
>>><br>
>>> <socket-binding-group name="standard-sockets" default-interface="public"<br>
>>> port-offset="${jboss.socket.binding.port-offset:0}"><br>
>>> ...<br>
>>> <socket-binding name="proxy-https" port="443"/><br>
>>> ...<br>
>>> </socket-binding-group><br>
>>><br>
>>><br>
>>> RECIVE THE FOLLOWING ERROR in TOMCAT:<br>
>>><br>
>>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator -<br>
>>> failed to turn code into token<br>
>>><br>
>>> org.apache.http.conn.HttpHostConnectException: Connection to<br>
>>> <a href="https://sso2.domain.com" rel="noreferrer" target="_blank">https://sso2.domain.com</a> refused<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90)<br>
>>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]<br>
>>><br>
>>> at<br>
>>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297)<br>
>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]<br>
>>><br>
>>> at<br>
>>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243)<br>
>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]<br>
>>><br>
>>> at<br>
>>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95)<br>
>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]<br>
>>><br>
>>> at<br>
>>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189)<br>
>>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]<br>
>>><br>
>>> at<br>
>>> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28)<br>
>>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]<br>
>>><br>
>>> at<br>
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)<br>
>>> [lib/:na]<br>
>>><br>
>>> at<br>
>>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170)<br>
>>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]<br>
>>><br>
>>> at<br>
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)<br>
>>> [lib/:na]<br>
>>><br>
>>> at<br>
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)<br>
>>> [lib/:na]<br>
>>><br>
>>> at<br>
>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)<br>
>>> [lib/:na]<br>
>>><br>
>>> at<br>
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)<br>
>>> [lib/:na]<br>
>>><br>
>>> at<br>
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)<br>
>>> [lib/:na]<br>
>>><br>
>>> at<br>
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)<br>
>>> [tomcat-coyote.jar:8.0.18]<br>
>>><br>
>>> at<br>
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)<br>
>>> [tomcat-coyote.jar:8.0.18]<br>
>>><br>
>>> at<br>
>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)<br>
>>> [tomcat-coyote.jar:8.0.18]<br>
>>><br>
>>> at<br>
>>> <a href="http://org.apache.tomcat.util.net" target="_blank">org.apache.tomcat.util.net</a>.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)<br>
>>> [tomcat-coyote.jar:8.0.18]<br>
>>><br>
>>> at<br>
>>> <a href="http://org.apache.tomcat.util.net" target="_blank">org.apache.tomcat.util.net</a>.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)<br>
>>> [tomcat-coyote.jar:8.0.18]<br>
>>><br>
>>> at<br>
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)<br>
>>> [na:1.8.0_25]<br>
>>><br>
>>> at<br>
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)<br>
>>> [na:1.8.0_25]<br>
>>><br>
>>> at<br>
>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)<br>
>>> [tomcat-util.jar:8.0.18]<br>
>>><br>
>>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]<br>
>>><br>
>>> Caused by: java.net.ConnectException: Connection timed out<br>
>>><br>
>>> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]<br>
>>><br>
>>> at<br>
>>> <a href="http://java.net" target="_blank">java.net</a>.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)<br>
>>> ~[na:1.8.0_25]<br>
>>><br>
>>> at<br>
>>> <a href="http://java.net" target="_blank">java.net</a>.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)<br>
>>> ~[na:1.8.0_25]<br>
>>><br>
>>> at<br>
>>> <a href="http://java.net" target="_blank">java.net</a>.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)<br>
>>> ~[na:1.8.0_25]<br>
>>><br>
>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)<br>
>>> ~[na:1.8.0_25]<br>
>>><br>
>>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]<br>
>>><br>
>>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)<br>
>>> ~[na:1.8.0_25]<br>
>>><br>
>>> at<br>
>>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> at<br>
>>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)<br>
>>> ~[httpclient-4.2.1.jar:4.2.1]<br>
>>><br>
>>> ... 29 common frames omitted<br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> keycloak-user mailing list<br>
>>> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
>><br>
>><br>
><br>
</blockquote></div></blockquote></div>