<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I've got some Spring Boot application instances with embeded
Tomcat servlet containers. Tomcat has a similar system to Wildfly
for request dumpering, that's what I have enabled for getting the
trace below. In short words that's the behaviour I'm able to see:
<br>
</p>
<p>1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service
(8083 port) : A forward request where X-forwarded headers are
included</p>
<p>2. Organization Service (localhost:8083) : Looks for a token and
if it's not available, the keycloak adapter redirects to the
/sso/login of the same service (Here the traceability from the
proxy gets losts)</p>
<p>3. localhost:8083/sso/login: Redirects to the keycloak wildfly
server, saving the requested url <br>
</p>
<p>4. Keycloak login: The user performs the authentication and the
redirectUri is localhost:8083/sso/login. Later on, the login
endpoint redirects the user to the url requested in point 2, not
the first one from the proxy.</p>
<p>I only have this problem when my organization service needs to
verify the token (or a token doesn't exist) using the keycloak
adapter. When the /sso/login endpoint is not requested, everything
is working properly. Hope I've explained it well!<br>
</p>
<br>
<div class="moz-cite-prefix">31/05/2016 7:15(e)an, Stian Thorgersen
igorleak idatzi zuen:<br>
</div>
<blockquote
cite="mid:CAJgngAfQUcz1hJwqkpOgr3j9DCxfxdgc_iA73Coyfc7j1EnLJQ@mail.gmail.com"
type="cite">
<div dir="ltr">Where is your app deployed? If it's on WildFly you
can follow the same steps used to configure reverse proxy for
Keycloak Server to configure WildFly. Check if getRequestURL
returns the correct URL in your app.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 30 May 2016 at 15:08, Aritz Maeztu <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com" target="_blank">amaeztu@tesicnor.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<div><br>
<br>
-------- Birbidalitako mezua --------
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Gaia: </th>
<td>Re: [keycloak-user] Redirection issue with
proxy behind keycloak</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Data: </th>
<td>Mon, 30 May 2016 13:28:21 +0200</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Nork: </th>
<td>Aritz Maeztu <a moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com"
target="_blank"><amaeztu@tesicnor.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Nori: </th>
<td><a moz-do-not-send="true"
href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">CC: </th>
<td>Niels Bertram <a moz-do-not-send="true"
href="mailto:nielsbne@gmail.com"
target="_blank"><nielsbne@gmail.com></a>,
keycloak-user <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank"><keycloak-user@lists.jboss.org></a>,
Scott Rossillo <a moz-do-not-send="true"
href="mailto:srossillo@smartling.com"
target="_blank"><srossillo@smartling.com></a></td>
</tr>
</tbody>
</table>
<div>
<div class="h5"> <br>
<br>
<p>I've done all the traceability from the proxy
server till the login page is displayed:</p>
<p>First step, /organization/organizations is
requested, so the proxy server knows it has to be
forwarded to the 8083 port (the one for the
organization service). That's the first request
received by my application's Tomcat:</p>
<p><font face="Courier New" size="-2">2016-05-30
13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 START TIME
=30-may-2016 13:01:18<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
requestURI=/organizations<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 authType=null<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 characterEncoding=UTF-8<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentLength=-1<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentType=null<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contextPath=<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=accept-language=es-ES,es;q=0.8<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-forwarded-host=mies-057:8765<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-forwarded-prefix=/organization<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=upgrade-insecure-requests=1<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=accept-encoding=gzip<br>
2016-05-30 13:01:18.888 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=user-agent=Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/50.0.2661.102 Safari/537.36<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=netflix.nfhttpclient.version=1.0<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=x-netflix-httpclientname=organization<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=host=mies-057:8083<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=connection=Keep-Alive<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 locale=es_ES<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 method=GET<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 pathInfo=null<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 protocol=HTTP/1.1<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 queryString=null<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
remoteAddr=192.168.56.1<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
remoteHost=192.168.56.1<br>
2016-05-30 13:01:18.889 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteUser=null<br>
2016-05-30 13:01:18.890 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 requestedSessionId=null<br>
2016-05-30 13:01:18.890 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 scheme=http<br>
2016-05-30 13:01:18.890 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 serverName=mies-057<br>
2016-05-30 13:01:18.890 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 serverPort=8083<br>
2016-05-30 13:01:18.890 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
servletPath=/organizations<br>
2016-05-30 13:01:18.891 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 isSecure=false<br>
2016-05-30 13:01:18.891 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
------------------=--------------------------------------------</font></p>
<p>Here x-forwarded-host is mies-057:8765 (the proxy
server) and x-forwarded-prefix is /organization.
So the original request is kept in the headers.
Well, now my service (8083) tries to check for
authorization via the /sso/login endpoint from the
keycloak spring security adapter:<br>
</p>
<p><font face="Courier New" size="-2">2016-05-30
13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
o.k.a.s.management.HttpSessionManager :
Session created:
CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.892 DEBUG 18096 ---
[nio-8083-exec-9]
k.a.s.a.KeycloakAuthenticationEntryPoint :
Redirecting to login URI /sso/login<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
------------------=--------------------------------------------<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 authType=null<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 contentType=null<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=X-Content-Type-Options=nosniff<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=X-XSS-Protection=1; mode=block<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Cache-Control=no-cache, no-store,
max-age=0, must-revalidate<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Pragma=no-cache<br>
2016-05-30 13:01:18.892 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Expires=0<br>
2016-05-30 13:01:18.893 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=X-Frame-Options=DENY<br>
2016-05-30 13:01:18.893 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
Path=/; HttpOnly<br>
2016-05-30 13:01:18.893 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
header=Location=<a moz-do-not-send="true"
href="http://mies-057:8083/sso/login"
target="_blank">http://mies-057:8083/sso/login</a><br>
2016-05-30 13:01:18.893 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 remoteUser=null<br>
2016-05-30 13:01:18.893 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 status=302<br>
2016-05-30 13:01:18.893 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9 END TIME
=30-may-2016 13:01:18<br>
2016-05-30 13:01:18.893 INFO 18096 ---
[nio-8083-exec-9]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-9
===============================================================<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 START TIME
=30-may-2016 13:01:18<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
requestURI=/sso/login<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 authType=null<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 characterEncoding=UTF-8<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contentLength=-1<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contentType=null<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 contextPath=<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.902 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=host=mies-057:8083<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=connection=keep-alive<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=upgrade-insecure-requests=1<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=user-agent=Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/50.0.2661.102 Safari/537.36<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=accept-encoding=gzip, deflate, sdch<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=accept-language=es-ES,es;q=0.8<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 locale=es_ES<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 method=GET<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 pathInfo=null<br>
2016-05-30 13:01:18.903 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
protocol=HTTP/1.1<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 queryString=null<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
remoteAddr=192.168.56.1<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
remoteHost=192.168.56.1<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 remoteUser=null<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 scheme=http<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
serverName=mies-057<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 serverPort=8083<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
servletPath=/sso/login<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10 isSecure=false<br>
2016-05-30 13:01:18.904 INFO 18096 ---
[io-8083-exec-10]
o.a.c.filters.RequestDumperFilter :
http-nio-8083-exec-10
------------------=--------------------------------------------<br>
2016-05-30 13:01:18.904 DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.PreAuthActionsHandler :
adminRequest <a moz-do-not-send="true"
href="http://mies-057:8083/sso/login"
target="_blank">http://mies-057:8083/sso/login</a><br>
2016-05-30 13:01:18.904 DEBUG 18096 ---
[io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter :
Request is to process authentication<br>
2016-05-30 13:01:18.904 DEBUG 18096 ---
[io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter :
Attempting Keycloak authentication<br>
2016-05-30 13:01:18.904 TRACE 18096 ---
[io-8083-exec-10]
o.k.adapters.RequestAuthenticator :
--> authenticate()<br>
2016-05-30 13:01:18.904 TRACE 18096 ---
[io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try
bearer<br>
2016-05-30 13:01:18.904 TRACE 18096 ---
[io-8083-exec-10]
o.k.adapters.RequestAuthenticator : try
oauth<br>
2016-05-30 13:01:18.905 DEBUG 18096 ---
[io-8083-exec-10]
o.k.a.s.token.SpringSecurityTokenStore :
Checking if
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@d328c2d
is cached<br>
2016-05-30 13:01:18.905 DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator : there
was no code<br>
2016-05-30 13:01:18.905 DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator :
redirecting to auth server<br>
2016-05-30 13:01:18.905 DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator :
callback uri: <a moz-do-not-send="true"
href="http://mies-057:8083/sso/login"
target="_blank">http://mies-057:8083/sso/login</a><br>
2016-05-30 13:01:18.905 DEBUG 18096 ---
[io-8083-exec-10]
f.KeycloakAuthenticationProcessingFilter : Auth
outcome: NOT_ATTEMPTED<br>
2016-05-30 13:01:18.905 DEBUG 18096 ---
[io-8083-exec-10]
o.k.adapters.OAuthRequestAuthenticator :
Sending redirect to login page: <a
moz-do-not-send="true"
href="http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true"
target="_blank"><a class="moz-txt-link-freetext" href="http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true">http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true</a></a></font></p>
<p>As it's shown in the logs, the X-forwarded logs
are not kept by the keycloak adapter (look at the
lines below <font face="Courier New" size="-2">k.a.s.a.KeycloakAuthenticationEntryPoint
: Redirecting to login URI /sso/login</font>).
So could it be the proxy server itself being
properly configured but the keycloak adapter
losing the original headers while performing the
redirection?</p>
<p>I've also set up the request dumper in the
undertow server as Niels suggested, but obviously,
X-forwarded headers are not reaching the keycloak
server..</p>
<p>Thanks for your time, again ;-)<br>
</p>
<p><br>
</p>
<br>
<div>25/05/2016 7:22(e)an, Stian Thorgersen igorleak
idatzi zuen:<br>
</div>
<blockquote type="cite">
<div dir="ltr">You need the Host and
X-Forwarded-For headers to be included and
there's also some config to be done on the
Keycloak server (see <a moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding"
target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding</a>)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 24 May 2016 at
08:46, Aritz Maeztu <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hi Niels and Scott. First of all, thank
you very much for your help. I'm
currently using Zuul (Spring Cloud) as
the reverse proxy. All the services are
registered in a discovery service called
Eureka and then Zuul looks for the
service id there and performs de
redirection. I read about <font
face="monospace, monospace">X-Forwarded
headers, but I thought it might result
in a security issue if not included,
not that it could affect the
redirection process. <br>
</font></p>
<p><font face="monospace, monospace">As
Scott says, I suppose the Host and the
X-Real-Ip headers are the relevant
ones here, so I guess I should
instruct Zuul to send them when the
service is addressed (however I wonder
why they are not already being sent,
as Zuul is a proxy service, all in
all).</font></p>
Here I include a preview of the first
redirection made to the keycloak login
page, which shows the request headers sent
to the service /login endpoint (at port
8081 in localhost):<br>
<br>
<a moz-do-not-send="true"
href="https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0"
target="_blank">https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0</a><br>
<br>
<div>24/05/2016 2:08(e)an, Niels Bertram
igorleak idatzi zuen:<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Hi Artitz,
<div><br>
</div>
<div>a great way to figure out
what is sent from the reverse
proxy to your keycloak server is
to use the undertow request
dumper.
<div><br>
</div>
<div>From the jboss-cli just add
the request dumper filter to
your undertow configuration
like this:</div>
<div><br>
</div>
<div>
<div><font face="monospace,
monospace">$KC_HOME/bin/jbpss-cli.sh
-c</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">/:reload</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">given
your apache config looks
something like this:</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace"> ProxyRequests
Off</font></div>
<div><font face="monospace,
monospace">
ProxyPreserveHost On</font></div>
<div><font face="monospace,
monospace"> ProxyVia On</font></div>
<div><br>
</div>
<div><font face="monospace,
monospace"> ProxyPass
/auth ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth"
target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace,
monospace">
ProxyPassReverse /auth
ajp://<a
moz-do-not-send="true"
href="http://127.0.0.1:8009/auth"
target="_blank">127.0.0.1:8009/auth</a></font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">you
should see something like
that (forwared info is
somewhat rubbish in this
example as I am running
the hosts on Virtualbox -
but you can see this
request was put through 2
proxies from local pc
192.168.33.1 to haproxy on
192.168.33.80 and then
apache reverse proxy on
192.168.33.81 ):</font></div>
<div><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="monospace,
monospace">==============================================================</font></div>
<div><font face="monospace,
monospace">23:47:20,563
INFO
[io.undertow.request.dump]
(default task-14)</font></div>
<div><font face="monospace,
monospace">----------------------------REQUEST---------------------------</font></div>
<div><font face="monospace,
monospace">
URI=/auth/welcome-content/favicon.ico</font></div>
<div><font face="monospace,
monospace"> characterEncoding=null</font></div>
<div><font face="monospace,
monospace">
contentLength=-1</font></div>
<div><font face="monospace,
monospace">
contentType=null</font></div>
<div><font face="monospace,
monospace">
header=Accept=*/*</font></div>
<div><font face="monospace,
monospace">
header=Accept-Language=en-US,en;q=0.8,de;q=0.6</font></div>
<div><font face="monospace,
monospace">
header=Cache-Control=no-cache</font></div>
<div><font face="monospace,
monospace">
header=Accept-Encoding=gzip,
deflate, sdch</font></div>
<div><font face="monospace,
monospace">
header=DNT=1</font></div>
<div><font face="monospace,
monospace">
header=Pragma=no-cache</font></div>
<div><font face="monospace,
monospace">
header=X-Original-To=192.168.33.80</font></div>
<div><font face="monospace,
monospace">
header=User-Agent=Mozilla/5.0
(Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML,
like Gecko)
Chrome/50.0.2661.102
Safari/537.36</font></div>
<div><font face="monospace,
monospace">
header=Authorization=Basic
bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=</font></div>
<div><font face="monospace,
monospace">
header=X-Forwarded-Proto=https</font></div>
<div><font face="monospace,
monospace">
header=X-Forwarded-Port=443</font></div>
<div><font face="monospace,
monospace">
header=X-Forwarded-For=192.168.33.1</font></div>
<div><font face="monospace,
monospace">
header=Referer=<a
moz-do-not-send="true"
href="https://login.vagrant.dev/auth/"
target="_blank"><a class="moz-txt-link-freetext" href="https://login.vagrant.dev/auth/">https://login.vagrant.dev/auth/</a></a></font></div>
<div><font face="monospace,
monospace">
header=Host=login.vagrant.dev</font></div>
<div><font face="monospace,
monospace">
locale=[en_US, en, de]</font></div>
<div><font face="monospace,
monospace">
method=GET</font></div>
<div><font face="monospace,
monospace">
protocol=HTTP/1.1</font></div>
<div><font face="monospace,
monospace">
queryString=</font></div>
<div><font face="monospace,
monospace">
remoteAddr=<a
moz-do-not-send="true"
href="http://192.168.33.1:0"
target="_blank">192.168.33.1:0</a></font></div>
<div><font face="monospace,
monospace">
remoteHost=192.168.33.1</font></div>
<div><font face="monospace,
monospace">
scheme=https</font></div>
<div><font face="monospace,
monospace">
host=login.vagrant.dev</font></div>
<div><font face="monospace,
monospace">
serverPort=443</font></div>
<div><font face="monospace,
monospace">--------------------------RESPONSE--------------------------</font></div>
<div><font face="monospace,
monospace">
contentLength=627</font></div>
<div><font face="monospace,
monospace">
contentType=application/octet-stream</font></div>
<div><font face="monospace,
monospace">
header=Cache-Control=max-age=2592000</font></div>
<div><font face="monospace,
monospace">
header=X-Powered-By=Undertow/1</font></div>
<div><font face="monospace,
monospace">
header=Server=WildFly/10</font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Hope this helps diagnosing
your issue. Niels</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue,
May 24, 2016 at 1:20 AM, Aritz
Maeztu <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:amaeztu@tesicnor.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:amaeztu@tesicnor.com">amaeztu@tesicnor.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<p>I'm using keycloak to
securize some Spring based
services (with the
keycloak spring security
adapter). The adapter
creates a `/login`
endpoint in each of the
services which redirects
to the keycloak login page
and then redirects back to
the service when
authentication is done. I
also have a proxy service
which I want to publish in
the 80 port and will take
care of routing all the
requests to each service.
The proxy performs a plain
FORWARD to the service,
but the problem comes when
I securize the service
with the keycloak adapter.
<br>
</p>
<p>When I make a request,
the adapter redirects to
its login endpoint and
then to the keycloak auth
url. When keycloak sends
the redirection, the url
shown in the browser is
the one from the service
and not the one from the
proxy. Do I have some
choice to tell the adapter
I want to redirect back to
the first requested url?<span><font
color="#888888"><br>
</font></span></p>
<span><font color="#888888">
<br>
<div>-- <br>
<div>
<table
style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span
style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span
style="font-size:12px">Departamento
Desarrollo de
Software</span>
</td>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a
moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"> <img src="cid:part19.56DB68FA.497140B7@tesicnor.com"
border="0"> </a>
</td>
</tr>
<tr>
<td> <a
moz-do-not-send="true"
href="http://www.tesicnor.com" target="_blank"> <img
src="cid:part21.58E351AA.F2ED0CD9@tesicnor.com"
border="0"
width="143"> </a>
</td>
<td
style="font-size:12px">
<p
style="padding-left:20px">
<span>Pol.
Ind. Mocholi.</span>
<span>C/Rio
Elorz, Nave
13E </span><span
style="font-weight:bold">31110 Noain (Navarra)</span><br>
<span>Telf.:
948 21 40 40</span>
<br>
<span>Fax.:
948 21 40 41</span>
<br>
</p>
</td>
</tr>
<tr>
<td
colspan="2"> <span
style="color:#009900;font-size:12px">Antes de imprimir este e-mail
piense bien si
es necesario
hacerlo: El
medioambiente
es cosa de
todos.</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div>-- <br>
<div>
<table
style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span
style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span
style="font-size:12px">Departamento
Desarrollo de Software</span>
</td>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"> <img
src="cid:part25.2C9B09F3.39D2312E@tesicnor.com"
border="0"> </a> </td>
</tr>
<tr>
<td> <a
moz-do-not-send="true"
href="http://www.tesicnor.com"
target="_blank"> <img
src="cid:part27.32F0155C.797C1982@tesicnor.com"
border="0" width="143">
</a> </td>
<td style="font-size:12px">
<p
style="padding-left:20px">
<span>Pol. Ind. Mocholi.</span>
<span>C/Rio Elorz, Nave
13E </span><span
style="font-weight:bold">31110
Noain (Navarra)</span><br>
<span>Telf.: 948 21 40
40</span> <br>
<span>Fax.: 948 21 40 41</span>
<br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span
style="color:#009900;font-size:12px">Antes
de imprimir este e-mail
piense bien si es
necesario hacerlo: El
medioambiente es cosa de
todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div>-- <br>
<div>
<table
style="width:600;border-collapse:collapse">
<tbody>
<tr>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898">
<span style="font-weight:bold">Aritz
Maeztu Otaño</span><br>
<span style="font-size:12px">Departamento
Desarrollo de Software</span> </td>
<td
style="border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:#989898;padding-left:20px">
<a moz-do-not-send="true"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES"
target="_blank"> <img
src="cid:part31.44462D60.3CB18DF8@tesicnor.com"
border="0"> </a> </td>
</tr>
<tr>
<td> <a moz-do-not-send="true"
href="http://www.tesicnor.com"
target="_blank"> <img
src="cid:part33.A4B1AB31.24F4A888@tesicnor.com"
border="0" width="143"> </a> </td>
<td style="font-size:12px">
<p style="padding-left:20px"> <span>Pol.
Ind. Mocholi.</span> <span>C/Rio
Elorz, Nave 13E </span><span
style="font-weight:bold">31110 Noain
(Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span
style="color:#009900;font-size:12px">Antes
de imprimir este e-mail piense bien si
es necesario hacerlo: El medioambiente
es cosa de todos.</span> </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div class="moz-signature">
<table style="cellspadding: 0; width: 600; align: left;
border-collapse: collapse;">
<tbody>
<tr>
<td style="border-bottom-width: 1px; border-bottom-style:
solid; border-bottom-color: #989898;"> <span
style="font-weight:bold">Aritz Maeztu Otaño</span><br>
<span style="font-size: 12px;">Departamento Desarrollo
de Software</span> </td>
<td style="border-bottom-width: 1px; border-bottom-style:
solid; border-bottom-color: #989898; padding-left:
20px;"> <a target="_blank"
href="https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES">
<img src="cid:part37.F59A5EDB.10D112D3@tesicnor.com"
border="0">
<!--<img src="linkdin.gif" border="0" />--> </a> </td>
</tr>
<tr>
<td> <a target="_blank" href="http://www.tesicnor.com"> <img
shrinktofit="true"
src="cid:part39.C21A5AC2.3618B928@tesicnor.com"
border="0" width="143">
<!--<img shrinktofit="true" src="logo.png" width="143" border="0" />-->
</a> </td>
<td style="font-size: 12px;">
<p style="padding-left: 20px;"> <span>Pol. Ind.
Mocholi.</span> <span>C/Rio Elorz, Nave 13E </span><span
style="font-weight:bold">31110 Noain (Navarra)</span><br>
<span>Telf.: 948 21 40 40</span> <br>
<span>Fax.: 948 21 40 41</span> <br>
</p>
</td>
</tr>
<tr>
<td colspan="2"> <span style="color: #009900;font-size:
12px;">Antes de imprimir este e-mail piense bien si es
necesario hacerlo: El medioambiente es cosa de todos.</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</body>
</html>