<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<div class="moz-forward-container"><br>
<br>
-------- Birbidalitako mezua --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Gaia: </th>
<td>Re: [keycloak-user] Redirection issue with proxy behind
keycloak</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Data: </th>
<td>Mon, 30 May 2016 13:28:21 +0200</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Nork: </th>
<td>Aritz Maeztu <a class="moz-txt-link-rfc2396E" href="mailto:amaeztu@tesicnor.com"><amaeztu@tesicnor.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Nori: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:stian@redhat.com">stian@redhat.com</a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">CC: </th>
<td>Niels Bertram <a class="moz-txt-link-rfc2396E" href="mailto:nielsbne@gmail.com"><nielsbne@gmail.com></a>, keycloak-user
<a class="moz-txt-link-rfc2396E" href="mailto:keycloak-user@lists.jboss.org"><keycloak-user@lists.jboss.org></a>, Scott Rossillo
<a class="moz-txt-link-rfc2396E" href="mailto:srossillo@smartling.com"><srossillo@smartling.com></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p>I've done all the traceability from the proxy server till the
login page is displayed:</p>
<p>First step, /organization/organizations is requested, so the
proxy server knows it has to be forwarded to the 8083 port (the
one for the organization service). That's the first request
received by my application's Tomcat:</p>
<p><font face="Courier New" size="-2">2016-05-30 13:01:18.888
INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 START TIME =30-may-2016 13:01:18<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 requestURI=/organizations<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 authType=null<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 characterEncoding=UTF-8<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentLength=-1<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentType=null<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contextPath=<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=accept-language=es-ES,es;q=0.8<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-forwarded-host=mies-057:8765<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-forwarded-prefix=/organization<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=upgrade-insecure-requests=1<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=accept-encoding=gzip<br>
2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=user-agent=Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/50.0.2661.102 Safari/537.36<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=netflix.nfhttpclient.version=1.0<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-netflix-httpclientname=organization<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=host=mies-057:8083<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=connection=Keep-Alive<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 locale=es_ES<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 method=GET<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 pathInfo=null<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 protocol=HTTP/1.1<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 queryString=null<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteAddr=192.168.56.1<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteHost=192.168.56.1<br>
2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteUser=null<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 requestedSessionId=null<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 scheme=http<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 serverName=mies-057<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 serverPort=8083<br>
2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 servletPath=/organizations<br>
2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 isSecure=false<br>
2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
------------------=--------------------------------------------</font></p>
<p>Here x-forwarded-host is mies-057:8765 (the proxy server) and
x-forwarded-prefix is /organization. So the original request is
kept in the headers. Well, now my service (8083) tries to check
for authorization via the /sso/login endpoint from the keycloak
spring security adapter:<br>
</p>
<p><font face="Courier New" size="-2">2016-05-30 13:01:18.892
DEBUG 18096 --- [nio-8083-exec-9]
o.k.a.s.management.HttpSessionManager : Session created:
CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to
login URI /sso/login<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
------------------=--------------------------------------------<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 authType=null<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentType=null<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=X-Content-Type-Options=nosniff<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=X-XSS-Protection=1;
mode=block<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Cache-Control=no-cache, no-store, max-age=0,
must-revalidate<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=Pragma=no-cache<br>
2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=Expires=0<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=X-Frame-Options=DENY<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
Path=/; HttpOnly<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 header=Location=<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://mies-057:8083/sso/login"><a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a></a><br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteUser=null<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 status=302<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 END TIME =30-may-2016 13:01:18<br>
2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
===============================================================<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 START TIME =30-may-2016 13:01:18<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 requestURI=/sso/login<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 authType=null<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 characterEncoding=UTF-8<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contentLength=-1<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contentType=null<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contextPath=<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 header=host=mies-057:8083<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 header=connection=keep-alive<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=upgrade-insecure-requests=1<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
Safari/537.36<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 header=accept-encoding=gzip,
deflate, sdch<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=accept-language=es-ES,es;q=0.8<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 locale=es_ES<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 method=GET<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 pathInfo=null<br>
2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 protocol=HTTP/1.1<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 queryString=null<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 remoteAddr=192.168.56.1<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 remoteHost=192.168.56.1<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 remoteUser=null<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 scheme=http<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 serverName=mies-057<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 serverPort=8083<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 servletPath=/sso/login<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 isSecure=false<br>
2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
------------------=--------------------------------------------<br>
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.PreAuthActionsHandler : adminRequest <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://mies-057:8083/sso/login"><a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a></a><br>
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Request is to
process authentication<br>
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak
authentication<br>
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : -->
authenticate()<br>
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try bearer<br>
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try oauth<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.a.s.token.SpringSecurityTokenStore : Checking if
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@d328c2d
is cached<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : there was no code<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : redirecting to auth
server<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : callback uri: <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://mies-057:8083/sso/login"><a class="moz-txt-link-freetext" href="http://mies-057:8083/sso/login">http://mies-057:8083/sso/login</a></a><br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Auth outcome:
NOT_ATTEMPTED<br>
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : Sending redirect to
login page:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true">http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true</a></font></p>
<p>As it's shown in the logs, the X-forwarded logs are not kept by
the keycloak adapter (look at the lines below <font
face="Courier New" size="-2">k.a.s.a.KeycloakAuthenticationEntryPoint
: Redirecting to login URI /sso/login</font>). So could it be
the proxy server itself being properly configured but the
keycloak adapter losing the original headers while performing
the redirection?</p>
<p>I've also set up the request dumper in the undertow server as
Niels suggested, but obviously, X-forwarded headers are not
reaching the keycloak server..</p>
<p>Thanks for your time, again ;-)<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">25/05/2016 7:22(e)an, Stian
Thorgersen igorleak idatzi zuen:<br>
</div>
<blockquote
cite="mid:CAJgngAeUJxOkFVspZc096Eu+bTedwcpPpv6UnWDQzX6ptChwMQ@mail.gmail.com"
type="cite">
<div dir="ltr">You need the Host and X-Forwarded-For headers to
be included and there's also some config to be done on the
Keycloak server (see <a moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding</a>)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 24 May 2016 at 08:46, Aritz Maeztu
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com" target="_blank">amaeztu@tesicnor.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Niels and Scott. First of all, thank you very much
for your help. I'm currently using Zuul (Spring Cloud)
as the reverse proxy. All the services are registered
in a discovery service called Eureka and then Zuul
looks for the service id there and performs de
redirection. I read about <font face="monospace,
monospace">X-Forwarded headers, but I thought it
might result in a security issue if not included,
not that it could affect the redirection process. <br>
</font></p>
<p><font face="monospace, monospace">As Scott says, I
suppose the Host and the X-Real-Ip headers are the
relevant ones here, so I guess I should instruct
Zuul to send them when the service is addressed
(however I wonder why they are not already being
sent, as Zuul is a proxy service, all in all).</font></p>
Here I include a preview of the first redirection made
to the keycloak login page, which shows the request
headers sent to the service /login endpoint (at port
8081 in localhost):<br>
<br>
<a moz-do-not-send="true"
href="https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0"
target="_blank">https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0</a><br>
<br>
<div>24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi
zuen:<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi Artitz,
<div><br>
</div>
<div>a great way to figure out what is sent from
the reverse proxy to your keycloak server is
to use the undertow request dumper.
<div><br>
</div>
<div>From the jboss-cli just add the request
dumper filter to your undertow configuration
like this:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">$KC_HOME/bin/jbpss-cli.sh
-c</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">/:reload</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">given your apache config
looks something like this:</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">
ProxyRequests Off</font></div>
<div><font face="monospace, monospace">
ProxyPreserveHost On</font></div>
<div><font face="monospace, monospace">
ProxyVia On</font></div>
<div><br>
</div>
<div><font face="monospace, monospace">
ProxyPass /auth ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth"
target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace, monospace">
ProxyPassReverse /auth ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth"
target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">you should see something
like that (forwared info is somewhat
rubbish in this example as I am running
the hosts on Virtualbox - but you can
see this request was put through 2
proxies from local pc 192.168.33.1 to
haproxy on 192.168.33.80 and then apache
reverse proxy on 192.168.33.81 ):</font></div>
<div><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div><font face="monospace, monospace">==============================================================</font></div>
<div><font face="monospace, monospace">23:47:20,563
INFO [io.undertow.request.dump]
(default task-14)</font></div>
<div><font face="monospace, monospace">----------------------------REQUEST---------------------------</font></div>
<div><font face="monospace, monospace">
URI=/auth/welcome-content/favicon.ico</font></div>
<div><font face="monospace, monospace"> characterEncoding=null</font></div>
<div><font face="monospace, monospace">
contentLength=-1</font></div>
<div><font face="monospace, monospace">
contentType=null</font></div>
<div><font face="monospace, monospace">
header=Accept=*/*</font></div>
<div><font face="monospace, monospace">
header=Accept-Language=en-US,en;q=0.8,de;q=0.6</font></div>
<div><font face="monospace, monospace">
header=Cache-Control=no-cache</font></div>
<div><font face="monospace, monospace">
header=Accept-Encoding=gzip,
deflate, sdch</font></div>
<div><font face="monospace, monospace">
header=DNT=1</font></div>
<div><font face="monospace, monospace">
header=Pragma=no-cache</font></div>
<div><font face="monospace, monospace">
header=X-Original-To=192.168.33.80</font></div>
<div><font face="monospace, monospace">
header=User-Agent=Mozilla/5.0
(Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/50.0.2661.102 Safari/537.36</font></div>
<div><font face="monospace, monospace">
header=Authorization=Basic
bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-Proto=https</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-Port=443</font></div>
<div><font face="monospace, monospace">
header=X-Forwarded-For=192.168.33.1</font></div>
<div><font face="monospace, monospace">
header=Referer=<a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://login.vagrant.dev/auth/"><a class="moz-txt-link-freetext" href="https://login.vagrant.dev/auth/">https://login.vagrant.dev/auth/</a></a></font></div>
<div><font face="monospace, monospace">
header=Host=login.vagrant.dev</font></div>
<div><font face="monospace, monospace">
locale=[en_US, en, de]</font></div>
<div><font face="monospace, monospace">
method=GET</font></div>
<div><font face="monospace, monospace">
protocol=HTTP/1.1</font></div>
<div><font face="monospace, monospace">
queryString=</font></div>
<div><font face="monospace, monospace">
remoteAddr=<a moz-do-not-send="true"
href="http://192.168.33.1:0"
target="_blank">192.168.33.1:0</a></font></div>
<div><font face="monospace, monospace">
remoteHost=192.168.33.1</font></div>
<div><font face="monospace, monospace">
scheme=https</font></div>
<div><font face="monospace, monospace">
host=login.vagrant.dev</font></div>
<div><font face="monospace, monospace">
serverPort=443</font></div>
<div><font face="monospace, monospace">--------------------------RESPONSE--------------------------</font></div>
<div><font face="monospace, monospace">
contentLength=627</font></div>
<div><font face="monospace, monospace">
contentType=application/octet-stream</font></div>
<div><font face="monospace, monospace">
header=Cache-Control=max-age=2592000</font></div>
<div><font face="monospace, monospace">
header=X-Powered-By=Undertow/1</font></div>
<div><font face="monospace, monospace">
header=Server=WildFly/10</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Hope this helps diagnosing your issue.
Niels</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, May 24, 2016 at
1:20 AM, Aritz Maeztu <span dir="ltr"><<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:amaeztu@tesicnor.com"><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I'm using keycloak to securize some
Spring based services (with the keycloak
spring security adapter). The adapter
creates a `/login` endpoint in each of
the services which redirects to the
keycloak login page and then redirects
back to the service when authentication
is done. I also have a proxy service
which I want to publish in the 80 port
and will take care of routing all the
requests to each service. The proxy
performs a plain FORWARD to the service,
but the problem comes when I securize
the service with the keycloak adapter. <br>
</p>
<p>When I make a request, the adapter
redirects to its login endpoint and then
to the keycloak auth url. When keycloak
sends the redirection, the url shown in
the browser is the one from the service
and not the one from the proxy. Do I
have some choice to tell the adapter I
want to redirect back to the first
requested url?<span><font
color="#888888"><br>
</font></span></p>
<span><font color="#888888"> <br>
<div>-- <br>
<div>
<table
style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span
style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span
style="font-size:12px">Departamento
Desarrollo de Software</span>
</td>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"> <img
src="cid:part13.D32DDCBF.9DF9E14E@tesicnor.com"
border="0"> </a> </td>
</tr>
<tr>
<td> <a
moz-do-not-send="true"
href="http://www.tesicnor.com"
target="_blank"> <img
src="cid:part15.09FBF6BB.B65261EC@tesicnor.com"
border="0" width="143">
</a> </td>
<td style="font-size:12px">
<p
style="padding-left:20px">
<span>Pol. Ind. Mocholi.</span>
<span>C/Rio Elorz, Nave
13E </span><span
style="font-weight:bold">31110
Noain (Navarra)</span><br>
<span>Telf.: 948 21 40
40</span> <br>
<span>Fax.: 948 21 40 41</span>
<br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span
style="color:#009900;font-size:12px">Antes
de imprimir este e-mail
piense bien si es
necesario hacerlo: El
medioambiente es cosa de
todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div>-- <br>
<div>
<table
style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span style="font-size:12px">Departamento
Desarrollo de Software</span> </td>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"> <img
src="cid:part19.1D5BC4F2.7704C250@tesicnor.com"
border="0"> </a> </td>
</tr>
<tr>
<td> <a moz-do-not-send="true"
href="http://www.tesicnor.com"
target="_blank"> <img
src="cid:part21.CEC878F0.AF1078A8@tesicnor.com"
border="0" width="143"> </a> </td>
<td style="font-size:12px">
<p style="padding-left:20px"> <span>Pol.
Ind. Mocholi.</span> <span>C/Rio
Elorz, Nave 13E </span><span
style="font-weight:bold">31110 Noain
(Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span
style="color:#009900;font-size:12px">Antes
de imprimir este e-mail piense bien si
es necesario hacerlo: El medioambiente
es cosa de todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<div class="moz-signature">
<table style="cellspadding: 0; width: 600; align: left;
border-collapse: collapse;">
<tbody>
<tr>
<td style="border-bottom-width: 1px;
border-bottom-style: solid; border-bottom-color:
#989898;"> <span style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span style="font-size: 12px;">Departamento Desarrollo
de Software</span> </td>
<td style="border-bottom-width: 1px;
border-bottom-style: solid; border-bottom-color:
#989898; padding-left: 20px;"> <a
moz-do-not-send="true" target="_blank"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES">
<img src="cid:part25.51FC3EB0.B623D7EC@tesicnor.com"
border="0">
<!--<img src="linkdin.gif" border="0" />--> </a> </td>
</tr>
<tr>
<td> <a moz-do-not-send="true" target="_blank"
href="http://www.tesicnor.com"> <img
shrinktofit="true"
src="cid:part27.041B8B51.D90FDF7F@tesicnor.com"
border="0" width="143">
<!--<img shrinktofit="true" src="logo.png" width="143" border="0" />-->
</a> </td>
<td style="font-size: 12px;">
<p style="padding-left: 20px;"> <span>Pol. Ind.
Mocholi.</span> <span>C/Rio Elorz, Nave 13E </span><span
style="font-weight:bold">31110 Noain (Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span style="color: #009900;font-size:
12px;">Antes de imprimir este e-mail piense bien si
es necesario hacerlo: El medioambiente es cosa de
todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</body>
</html>