Gerrit + Keycloak (OAuth2)
by Sergio Durigan Junior
Hello,
I have been trying to set up a Gerrit instance (latest version, running
in a local VM) with OAuth2 authentication using Keycloak (also running
at the same VM), and I'm seeing some strange errors. I posted a message
like this one to repo-discuss, but I'm now thinking it may have
something to do with a misconfiguration of Keycloak, so I decided to
give it a try here.
First, some information about my setup. I'm running Debian 10 (buster)
with OpenJDK 11 installed. I was trying to run Keycloak "by hand", but
am now trying the docker image provided by you guys. Gerrit is running
on http://192.168.122.32/gerrit, and Keycloak is running on
http://192.168.122.32:8877.
I am using the "master" realm. There, I created the "gerrit" client,
which uses "openid-connect" as the client protocol, and "confidential"
as access type. Here are the other parameters that I think are useful
for you:
- Root URL: http://192.168.122.32/gerrit
- Valid Redirect URIs: http://192.168.122.32/gerrit/*
- Base URL: empty
- Admin URL: http://192.168.122.32/gerrit
- Web Origins: http://192.168.122.32/gerrit
The problem happens when I try to log in. I go to
http://192.168.122.32/gerrit/login, which takes me to Keycloak login
page. I enter the correct user/pass, and get redirected to a URL like:
<http://192.168.122.32/gerrit/oauth?state=4ZnqJHotq9Ul51sjdFtREk7hHlFXP7pB...>
This URL seems correct. However, I see a "Server Error" on Gerrit:
[2019-10-10 00:14:46,542] [HTTP-81] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /gerrit/oauth?state=4ZnqJHotq9Ul51sjdFtREk7hHlFXP7pBD8YaMvFgP2Q&session_state=86de8bed-870e-48b5-9627-954786c83c4b&code=c639f041-40b1-4205-a7d4-07f923e0e27b.86de8bed-870e-48b5-9627-954786c83c4b.b0086d87-e5ca-48d0-b2af-16b6b3ed8b47
org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {"error":"invalid_grant","error_description":"Code not valid"}
When I look at Keycloak's logs, I see:
04:14:46,539 WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-14) Code 'c639f041-40b1-4205-a7d4-07f923e0e27b' already used for userSession '86de8bed-870e-48b5-9627-954786c83c4b' and client 'b0086d87-e5ca-48d0-b2af-16b6b3ed8b47'.
04:14:46,540 WARN [org.keycloak.events] (default task-14) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=gerrit, userId=null, ipAddress=192.168.122.32, error=invalid_code, grant_type=authorization_code, code_id=86de8bed-870e-48b5-9627-954786c83c4b, client_auth_method=client-secret
I tried searching for these warnings messages online, and found a few
references. Most of them (on this same list) did not offer any useful
hints.
I'm pretty new to this whole authentication thing, so any advice is
welcome.
Thanks in advance!
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
5 years, 2 months
Account Management Rest API
by Corentin Dupont
Hello,
I wanted know the status of the new account Console and API (see
message copied bellow)?
I have an application developed in ReactJS, which is using Keycloak
account pages generated by Keycloak (4.4.0).
I would like to add additional elements to the account page, that are
not controlled by Keycloak.
Notably, I need to access the Redux store and make some HTTP requests
to an eternal API.
What do you suggest? I was thinking to re-do completely the account
pages with React, and retrieve the data from Keycloak using API.
However I'm not sure the account management API is ready on Keycloak side.
Thanks
Corentin
Stan Silvert wrote on Mon Apr 15 12:32:07 EDT 2019:
Right now this API is in development and subject to change at any time.
We are hoping to have it completed in the next few months.
Also, we are working on a new Account Console that will use PatternFly 4
and React. It will be easy to extend, so you can add your own pages.
It will work better on mobile devices. And of course, you will be able
to change it around with different themes and such.
So building your own console from this new Account Console might be a
better option than building the whole thing from scratch.
If you are interested, the code is here along with a readme that tells
how to build and run. It's very much a work in
progress:https://github.com/keycloak/keycloak/tree/master/themes/src/main...
I still need to document how to create extensions, so let me know if you
are interested in that.
Stan
On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote:
>* Hi guys,
*>* I'd like more information about the AccountRestService class
*>* (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
<https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>)
*>>* 1. I noticed that there are still a couple of TODO (such as Identity
*>* Providers management), is there a roadmap for the development of this
*>* missing features?
*>* 2. Are these API public or for internal use only? I'd like to use them
*>* to implement a custom Account Management page for my application.
*>* 3. How stable are they? How likely is it that they will change or
*>* disappear in the (near) future?
*>>* Thanky you.
*>* Best regards
*>>* --
*>>* GABRIELE RABBIOSI
*>>* BeePMN Software Engineer
*>>
5 years, 2 months
Re: [keycloak-user] subflow issue on reset credentials
by Max Allan
Hi Arnault,
I think with no "alternative" to alternate to or a "required" flow at the
top level, you will not "require" anything other than choosing your user to
gain a session. (You can use "choose a user" in a flow as a way to login
without a password. So at that point in the process the user is logged in,
with a login cookie.)
I suppose you could consider it like this : you haven't completed all the
required steps so the alternative flow hasn't completed yet, so you
shouldn't be logged in. Maybe...
I don't think this is a bug. But it does do the same for me.
This makes me think : If you capture the cookie when using the normal reset
process and replay a session with it and gain access to someone else's
account, that would be a security bug. I might dig into that later if I
have time/energy!
Why would you want all the steps to be an "alternative" to reset
credentials?
You don't even need to try it twice, just enter your email/username and
press submit when you see the "mail sent" message, click back. You're in.
Max
On Tue, 8 Oct 2019 at 16:54, <keycloak-user-request(a)lists.jboss.org> wrote:
>
> From: Arnault BESNARD <Arnault.BESNARD(a)b-com.com>
> To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Cc:
> Bcc:
> Date: Tue, 8 Oct 2019 15:41:49 +0000
> Subject: [keycloak-user] subflow issue on reset credentials
> Hi all,
>
>
> I got a very strange Keycloak behaviour on reset credentials.
>
>
>
> I set my reset credentials flow as follows:
>
> * I created a flow called "subflow" and set it as alternative
>
> Inside my subflow I created 3 execution providers:
>
> * choose user (required)
>
> * send Reset Email (required)
>
> * Reset Password (required)
>
>
> The authentication flow is the default "browser" flow.
>
>
> Now, I tried the following scenario:
>
> * On the login page, click on "forgot password"
>
> * Enter a valid email
>
> * A message told you that you should receive an email soon.
>
> * Click again on "forgot password"
>
> * Now, enter any valid user's email belonging to the realm
>
> * Again, a message told you that you should receive an email soon.
>
> * Now click on the browser back button.
>
> * You are connected with the credential belonging to the user's email !
>
>
> If you create your reset credentials without subform, this scenario
> doesn't allow you to connect without the email link.
>
>
> Before opening a bug case, can someone confirm he has the same behaviour ?
>
>
> Thanks in advance,
>
>
> Arnault
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Max Allan
phone +448454681066
email max.allan(a)surevine.com
[image: Surevine 10th Anniversary]
Participate | Collaborate | Innovate
Surevine Limited, registered in England and Wales with number 06726289. PO
Box 1136, Guildford GU1 9ND, UK
If you think you have received this message in error, please notify us.
5 years, 2 months
Keycloak returns 403 after login
by Alfonso Vidal García
I have a Keycloak server and my web application. When I try login into the app, always Keycloak returns a 403 - Forbidden.
This is my configuration from the web project,
application.properties
server.port = 38080
keycloak.realm=FocusocKeycloak
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.ssl-required=external
keycloak.resource=login-provider-web
keycloak.public-client=false
keycloak.credentials.secret=XXXX
keycloak.securityConstraints[0].authRoles[0] = USER
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*
# Turn off the logs
logging.level.root=OFF
logging.level.org.springframework.boot=OFF
spring.main.banner-mode=OFF
keycloak.json
{
"realm": "FocusocKeycloak",
"auth-server-url": "http://127.0.0.1:8080/auth",
"ssl-required": "external",
"resource": "login-app",
"verify-token-audience": true,
"credentials": {
"secret": "XXXX"
},
"use-resource-role-mappings": true,
"confidential-port": 0
}
Here is the configuration of the Client,
[enter image description here]<https://i.stack.imgur.com/fOWub.png>
And I only have registered the role ROLE_USER.
Anyone knows what it is happening?
P Please consider the environment before printing this e-mail.
5 years, 2 months
Keycloak 7.0.0 and Spring Security adapter
by Tony Harris
As part of an application server deployment the root context is protected by a simple basic authentication application that lists the currently installed application on the server.
If after accessing this secured page a user attempts to then access one of the Keycloak protected apps, a public client, on the same server the browser is sending the basic authorization header with the requests.
This in turn seems to be causing the org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter filter to return true from the AUTHORIZATION_HEADER request header request matcher that is setup by this filter which in turn then causes the redirect to Keycloak on the initial login to be the initially requested URL and not the /sso/login you normally get and we go round in a redirect loop.
The adapter has the basic-auth property set to false and I can see that a change has been made in this area since 3.1.0.Final which is what we are currently on. https://issues.jboss.org/browse/KEYCLOAK-5499
Anyone have any ideas, other than sorting out the root context app to not use basic auth.
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
5 years, 2 months
Execution Flow
by Stuart
Hi All,
I'm trying to add a step in the the KC authentication flow that just has a
notification/message page to say something like 'You're all setup' or 'you
made it through registration, well done'. :-)
I've tried creating an authentication provider which just display the
message (via a ftl template) which works great. However.... during the
registration process I want he users to set their password and set up OTP.
Now, because (I guess) the PW reset and OTP forms are 'required actions'
they are skipped for the actual user authentication. So once all
authentication providers are successful, KC moves onto the required actions
and displays the forms for them. This results in my 'message' provider
showing before the PW and OTP setup pages.
So I'm thinking that I should make the 'message' provider return success on
authentication and add 'Required Actions'. Does that sound like the way to
go? My only concern is that I still cannot get the PW (re)set page to
appear before the OTP page (even if I change the order under the 'Required
Actions' tab in the authentication setup), so I'm not sure how KC is making
the decision on which page to show next.
(I thought about using the T&C page for the message page, but I don't know
how to tell KC that its a new user, as the user is added to KC before they
get to login/register.)
Any thoughts are appreciated.
Stuart
5 years, 2 months
Keycloak 7.0 SAML IDP initiated flow
by abhijeet chauhan
Hi,
We have couple of applications integrated with Keycloak as Oidc clients.
Now we are using SAML brokers (Identity Providers under KC). SP initiated
flow is working well such that app (oidc client) -> KC -> SAML IDP flow is
working well.
However when doing IDP initiated flow its not working as expected. I am
testing with samltest.id and getting below error -
2019-10-08 19:12:50,515 TRACE [org.keycloak.saml.common] (default task-1)
[Ref id=null:uri=#_ce8762784368ec6b6d323aedffa16001]validity status:true
2019-10-08 19:12:50,519 DEBUG [org.keycloak.saml.common] (default task-1)
Verification failed for key null:
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a
validation key
2019-10-08 19:12:50,519 TRACE [org.keycloak.saml.common] (default task-1)
the keyselector did not find a validation key:
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a
validation key
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:558)
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:264)
at
org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:519)
at
org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:483)
at
org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil.isSignatureValid(AssertionUtil.java:292)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:390)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:512)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:249)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:164)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
Now to test if end to end flow works, i disabled the SAML assertion
validation on KC and then i got below error -
2019-10-08 19:19:46,222 TRACE [org.keycloak.saml.common] (default task-2)
Set Attribute Namespace=
http://www.w3.org/2000/xmlns/::Qual=:xmlns:ec::Value=http://www.w3.org/20...
2019-10-08 19:19:46,223 TRACE [org.keycloak.saml.common] (default task-2)
Creating an Attribute Namespace=:Algorithm
2019-10-08 19:19:46,238 DEBUG [org.keycloak.saml.common] (default task-2)
org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant:
2019-10-08T23:19:46.238Z
2019-10-08 19:19:46,238 DEBUG
[org.keycloak.saml.validators.ConditionsValidator] (default task-2)
Evaluating Conditions of Assertion _aa9bf8d729ea9129247b16a5e8a00a43.
notBefore=2019-10-08T23:16:40.378Z, notOnOrAfter=2019-10-08T23:21:40.378Z,
updatedNotBefore: 2019-10-08T23:16:40.378Z,
updatedOnOrAfter=2019-10-08T23:21:40.378Z, now: 2019-10-08T23:19:46.238Z
2019-10-08 19:19:46,239 DEBUG
[org.keycloak.saml.validators.ConditionsValidator] (default task-2)
Assertion _aa9bf8d729ea9129247b16a5e8a00a43 validity is VALID
2019-10-08 19:19:46,240 WARN [org.keycloak.events] (default task-2)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=dev, clientId=null,
userId=null, ipAddress=127.0.0.1, error=invalidRequestMessage
2019-10-08 19:19:46,240 ERROR
[org.keycloak.services.resources.IdentityBrokerService] (default task-2)
invalidRequestMessage
Attaching the log file first part shows when SAML signature validation is
enabled on KC and second part is when SAML signature validation is disabled
in KC.
Any pointers will help.
5 years, 2 months
Re: [keycloak-user] SameSite and Secure
by Max Allan
Hi Matthew,
I note that it is only cookies without "samesite" that are not "secure"
that will be affected.
I expect that you are running keycloak over http to a proxy and the proxy
is not securing your cookies.
You don't mention which proxy you are using. There is a module for nginx :
nginx_cookie_flag
However, I consider that to be mostly a bodge for masking other issues. Use
it as last resort.
You may need to ensure your proxy passes the correct headers for access to
be detected as "SSL". I think if you fail to add "X-Forwarded-Proto" (and
possibly Port) then keycloak sort of assumes your connection is over HTTP
and does not secure cookies.
You can maybe check by inspecting some of the redirects and if they
include http URLs rather than https. Your proxy probably then redirects
everyone to https anyway, but fixing it at source is better. This sort of
thing often causes CORS errors as well because requests are going from one
url (http....) to a different one (https....)
And/Or, you can configure Keycloak' SSL policy:
https://lists.jboss.org/pipermail/keycloak-user/2017-September/011888.html
I think that is a case of setting "require SSL" for all/external in the
Realm Settings. BUT IIRC that assumes you've got the header coming through
correctly or it will reject ALL attempts to login. (Which is embarrassing
because you cannot login to change the setting back! Always make sure you
have a backup and know how to restore it before changing any settings!!)
Also, if the proxy is on the same box, the connection appears to be local,
so the "external" setting doesn't help!
Max
> ---------- Forwarded message ----------
> From: Matthew Broadhead <matthew.broadhead(a)nbmlaw.co.uk>
> To: Bruno Oliveira <bruno(a)abstractj.org>
> Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
> Bcc:
> Date: Mon, 7 Oct 2019 16:41:44 +0200
> Subject: Re: [keycloak-user] SameSite and Secure
> Hi Bruno,
>
> i see the warnings in exactly the same version of chrome as you Version
> 77.0.3865.90 (Official Build) (64-bit) in fedora
>
> the same warning is showing in the console for a JSF application and
> vue.js application and says the cookie originates from the domain where
> my keycloak installation is located.
>
> i will continue to check if it is a problem with my httpd proxy i just
> thought you should know about this message
>
> On 07/10/2019 11:31, Bruno Oliveira wrote:
> > Hi Matthew, even though I agree that this is something we should
> > consider to Keycloak, I don't see the warnings you mentioned in the
> > latest release using Chrome 77.0.3865.90 (Official Build) (64-bit).
> >
> > Could you please provide the steps to reproduce the issue?
> >
>
>
>
>
5 years, 2 months
Kecloak production container
by Ashwini Basavaraj
Hi,
Can someone please help me with the best architecture for keycloak
container to run in production. We are working on a small setup so don't
want to use cluster yet. Is it good to run keycloak container on http and
reroute requests to https using nginx.
--
*Ashwini Basavaraj*
*BOXARR*
*| Operations*
T: +44 7469554745 <+44%20117%20911%204762>
<+44%20117%20911%204762>
E: ashwini.basavaraj(a)boxarr.com
W: www.boxarr.com
LI: linkedin.com/company/boxarr
@: twitter.com/boxarr
This message is private and confidential. If you have received this message
in error, please notify us immediately and remove it from your system.
www.BOXARR.com/email-policy <http://www.boxarr.com/email-policy>
BOXARR is a limited company registered in England and Wales. Company
registration number: 04873279. Registered Office: The Wallbrook Building,
25 Wallbrook, London, EC4N 8AF, United Kingdom
5 years, 2 months