<div dir="ltr">For Keycloak server to work behind a reverse proxy you need to make sure the X-Forwarded-For and Host headers are includes, there's also some config you need to do in Keycloak itself. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding</a></div><div class="gmail_extra"><br><div class="gmail_quote">On 24 May 2016 at 13:34, Guy Bowdler <span dir="ltr"><<a href="mailto:guybowdler@dorsetnetworks.com" target="_blank">guybowdler@dorsetnetworks.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Typical, spent two days faffing on this and as soon as I ask the forum,<br>
I find it. I repointed the kc proxy "auth-server-url" direct at<br>
keycloak and it works fine. Point it at the nginx proxied version of<br>
keycloak and it dies. It authenticates, and the user sessions show in<br>
the keycloak console, and SSO works, as I can go to another URL and that<br>
too shows a session but neither page renders when keyclaok is behind<br>
nginx.<br>
<br>
anyone had a similar experience?<br>
<div class="HOEnZb"><div class="h5"><br>
On 2016-05-24 11:25, Guy Bowdler wrote:<br>
> It might be this, as we have the keycloak instance running behind<br>
> another nginx proxy:<br>
><br>
> <a href="https://issues.jboss.org/browse/KEYCLOAK-2054" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2054</a><br>
><br>
> If anyone can help confirm this is would be a massive help as the fix<br>
> isn't due out until June 22 and would save unnecessary troubleshooting<br>
><br>
><br>
><br>
> On 2016-05-24 10:48, Guy Bowdler wrote:<br>
>> Hi:)<br>
>><br>
>> Has anybody seen this error?<br>
>><br>
>> I have (<a href="http://host.name/appname" rel="noreferrer" target="_blank">http://host.name/appname</a>) --> [KeyCloakProxy:80 --><br>
>> nginx:8080]<br>
>> --> [Web apps on different boxes] where [] denotes on same box.<br>
>> Namespace is hostname/appname where nginx location directives proxy<br>
>> out<br>
>> again to different boxes.<br>
>><br>
>> I've previously had this working but when I changed the keystore it<br>
>> all<br>
>> broke and haven't found the problem yet. Troubleshooting steps have<br>
>> been to take out the ssl entirely and try different client settings.<br>
>> If<br>
>> I remove the contraints in the proxy config, it proxies ok to the<br>
>> webpages, and it the constraints are in, I log in ok and then the<br>
>> browser goes blank with a URL like this in the address bar:<br>
>><br>
>> <a href="http://apps.host.name/python?state=0%2F52043b01-976f-464f-8651-ebe295aac2af&code=-_odSdHkDVnID6JhPeKV2QXh_1oub5DDLP2ZLZ6pA_0.ef2bd934-2fd8-48da-a626-106712b687b1" rel="noreferrer" target="_blank">http://apps.host.name/python?state=0%2F52043b01-976f-464f-8651-ebe295aac2af&code=-_odSdHkDVnID6JhPeKV2QXh_1oub5DDLP2ZLZ6pA_0.ef2bd934-2fd8-48da-a626-106712b687b1</a><br>
>><br>
>> The error stack below is from the console of the keycloak proxy.<br>
>> Refreshing the page, simply returns a different error of "NO STATE<br>
>> COOKIE".<br>
>><br>
>> Thanks in advance for any assistance,<br>
>><br>
>> kind regards<br>
>><br>
>> Guy<br>
>><br>
>><br>
>> ERROR: failed to turn code into token<br>
>> java.net.ConnectException: Connection refused<br>
>> at java.net.PlainSocketImpl.socketConnect(Native Method)<br>
>> at<br>
>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)<br>
>> at<br>
>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)<br>
>> at<br>
>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)<br>
>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)<br>
>> at java.net.Socket.connect(Socket.java:589)<br>
>> at<br>
>> sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)<br>
>> at<br>
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)<br>
>> at<br>
>> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)<br>
>> at<br>
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)<br>
>> at<br>
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)<br>
>> at<br>
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)<br>
>> at<br>
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)<br>
>> at<br>
>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)<br>
>> at<br>
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)<br>
>> at<br>
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)<br>
>> at<br>
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)<br>
>> at<br>
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)<br>
>> at<br>
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)<br>
>> at<br>
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)<br>
>> at<br>
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)<br>
>> at<br>
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)<br>
>> at<br>
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)<br>
>> at<br>
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)<br>
>> at<br>
>> org.keycloak.adapters.undertow.UndertowAuthenticationMechanism.authenticate(UndertowAuthenticationMechanism.java:56)<br>
>> at<br>
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)<br>
>> at<br>
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)<br>
>> at<br>
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)<br>
>> at<br>
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)<br>
>> at<br>
>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)<br>
>> at<br>
>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)<br>
>> at<br>
>> org.keycloak.proxy.ProxyAuthenticationCallHandler.handleRequest(ProxyAuthenticationCallHandler.java:44)<br>
>> at<br>
>> org.keycloak.proxy.ConstraintMatcherHandler.handleRequest(ConstraintMatcherHandler.java:89)<br>
>> at<br>
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)<br>
>> at<br>
>> org.keycloak.adapters.undertow.UndertowPreAuthActionsHandler.handleRequest(UndertowPreAuthActionsHandler.java:54)<br>
>> at<br>
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)<br>
>> at<br>
>> io.undertow.server.session.SessionAttachmentHandler.handleRequest(SessionAttachmentHandler.java:68)<br>
>> at<br>
>> io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:94)<br>
>> at<br>
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)<br>
>> at<br>
>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:232)<br>
>> at<br>
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)<br>
>> at<br>
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)<br>
>> at<br>
>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)<br>
>> at<br>
>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)<br>
>> at<br>
>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)<br>
>> at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)<br>
>><br>
>> May 24, 2016 11:04:30 AM<br>
>> org.keycloak.adapters.OAuthRequestAuthenticator<br>
>> checkStateCookie<br>
>> WARN: No state cookie<br>
>><br>
>> _______________________________________________<br>
>> keycloak-user mailing list<br>
>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div>