<div dir="ltr">Hi Artitz,<div><br></div><div>a great way to figure out what is sent from the reverse proxy to your keycloak server is to use the undertow request dumper.<div><br></div><div>From the jboss-cli just add the request dumper filter to your undertow configuration like this:</div><div><br></div><div><div><font face="monospace, monospace">$KC_HOME/bin/jbpss-cli.sh -c</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler, module=io.undertow.core)</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">/:reload</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="arial, helvetica, sans-serif">given your apache config looks something like this:</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> ProxyRequests Off</font></div><div><font face="monospace, monospace"> ProxyPreserveHost On</font></div><div><font face="monospace, monospace"> ProxyVia On</font></div><div><br></div><div><font face="monospace, monospace"> ProxyPass /auth ajp://<a href="http://127.0.0.1:8009/auth">127.0.0.1:8009/auth</a></font></div><div><font face="monospace, monospace"> ProxyPassReverse /auth ajp://<a href="http://127.0.0.1:8009/auth">127.0.0.1:8009/auth</a></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="arial, helvetica, sans-serif">you should see something like that (forwared info is somewhat rubbish in this example as I am running the hosts on Virtualbox - but you can see this request was put through 2 proxies from local pc 192.168.33.1 to haproxy on 192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="monospace, monospace">==============================================================</font></div><div><font face="monospace, monospace">23:47:20,563 INFO [io.undertow.request.dump] (default task-14)</font></div><div><font face="monospace, monospace">----------------------------REQUEST---------------------------</font></div><div><font face="monospace, monospace"> URI=/auth/welcome-content/favicon.ico</font></div><div><font face="monospace, monospace"> characterEncoding=null</font></div><div><font face="monospace, monospace"> contentLength=-1</font></div><div><font face="monospace, monospace"> contentType=null</font></div><div><font face="monospace, monospace"> header=Accept=*/*</font></div><div><font face="monospace, monospace"> header=Accept-Language=en-US,en;q=0.8,de;q=0.6</font></div><div><font face="monospace, monospace"> header=Cache-Control=no-cache</font></div><div><font face="monospace, monospace"> header=Accept-Encoding=gzip, deflate, sdch</font></div><div><font face="monospace, monospace"> header=DNT=1</font></div><div><font face="monospace, monospace"> header=Pragma=no-cache</font></div><div><font face="monospace, monospace"> header=X-Original-To=192.168.33.80</font></div><div><font face="monospace, monospace"> header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36</font></div><div><font face="monospace, monospace"> header=Authorization=Basic bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=</font></div><div><font face="monospace, monospace"> header=X-Forwarded-Proto=https</font></div><div><font face="monospace, monospace"> header=X-Forwarded-Port=443</font></div><div><font face="monospace, monospace"> header=X-Forwarded-For=192.168.33.1</font></div><div><font face="monospace, monospace"> header=Referer=<a href="https://login.vagrant.dev/auth/">https://login.vagrant.dev/auth/</a></font></div><div><font face="monospace, monospace"> header=Host=login.vagrant.dev</font></div><div><font face="monospace, monospace"> locale=[en_US, en, de]</font></div><div><font face="monospace, monospace"> method=GET</font></div><div><font face="monospace, monospace"> protocol=HTTP/1.1</font></div><div><font face="monospace, monospace"> queryString=</font></div><div><font face="monospace, monospace"> remoteAddr=<a href="http://192.168.33.1:0">192.168.33.1:0</a></font></div><div><font face="monospace, monospace"> remoteHost=192.168.33.1</font></div><div><font face="monospace, monospace"> scheme=https</font></div><div><font face="monospace, monospace"> host=login.vagrant.dev</font></div><div><font face="monospace, monospace"> serverPort=443</font></div><div><font face="monospace, monospace">--------------------------RESPONSE--------------------------</font></div><div><font face="monospace, monospace"> contentLength=627</font></div><div><font face="monospace, monospace"> contentType=application/octet-stream</font></div><div><font face="monospace, monospace"> header=Cache-Control=max-age=2592000</font></div><div><font face="monospace, monospace"> header=X-Powered-By=Undertow/1</font></div><div><font face="monospace, monospace"> header=Server=WildFly/10</font></div></div><div><br></div><div><br></div><div>Hope this helps diagnosing your issue. Niels</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu <span dir="ltr"><<a href="mailto:amaeztu@tesicnor.com" target="_blank">amaeztu@tesicnor.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I'm using keycloak to securize some Spring based services (with
the keycloak spring security adapter). The adapter creates a
`/login` endpoint in each of the services which redirects to the
keycloak login page and then redirects back to the service when
authentication is done. I also have a proxy service which I want
to publish in the 80 port and will take care of routing all the
requests to each service. The proxy performs a plain FORWARD to
the service, but the problem comes when I securize the service
with the keycloak adapter. <br>
</p>
<p>When I make a request, the adapter redirects to its login
endpoint and then to the keycloak auth url. When keycloak sends
the redirection, the url shown in the browser is the one from the
service and not the one from the proxy. Do I have some choice to
tell the adapter I want to redirect back to the first requested
url?<span class="HOEnZb"><font color="#888888"><br>
</font></span></p><span class="HOEnZb"><font color="#888888">
<br>
<div>-- <br>
<div>
<table style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898"> <span style="font-weight:bold">Aritz Maeztu Otaño</span><br>
<span style="font-size:12px">Departamento Desarrollo
de Software</span> </td>
<td style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px"> <a href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES" target="_blank">
<img src="cid:part1.CE73581C.4BE2BAA7@tesicnor.com" border="0">
</a> </td>
</tr>
<tr>
<td> <a href="http://www.tesicnor.com" target="_blank"> <img src="cid:part3.E5FA84AA.058AE979@tesicnor.com" border="0" width="143">
</a> </td>
<td style="font-size:12px">
<p style="padding-left:20px"> <span>Pol. Ind.
Mocholi.</span> <span>C/Rio Elorz, Nave 13E </span><span style="font-weight:bold">31110 Noain (Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span style="color:#009900;font-size:12px">Antes de imprimir este e-mail piense bien si es
necesario hacerlo: El medioambiente es cosa de todos.</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</font></span></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>