Re: [keycloak-user] Severe bug in KC adapter - returns blank 200 when SSL is not used with external setting

The problem is probably down to HttpServletRequest.html#getRequestURL() not returning the correct URL for the application itself. It looks like you've configured this correct on the Keycloak server side, but you also need to configure Jetty (I pressume?) to do the same when it's behind a reverse proxy. I've got no idea how you'd do that in Jetty, but I'm sure Google will reveal the answer to you. On 30 May 2017 at 17:37, cen <imbacen(a)gmail.com <mailto:imbacen@gmail.com>> wrote: Hello I just managed to replicate this: http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html <http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html> The unfortunate soul did not get a single reply in 2015, hopefully I have better luck. I will try to provide as much info as reuested just to get to the bottom of this. Setup: - KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup config cli: embed-server --std-out=echo batch /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) run-batch stop-embedded-server - KC adapter jetty 9.3 - keycloak.json configured via env vars - kc and api running in seperate docker containers on same server { "realm": "${env.KC_REALM}", "auth-server-url": "${env.KC_BASE_URL}", "ssl-required": "${env.KC_SSL_REQUIRED}", "resource": "${env.KC_RESOURCE}", "public-client": true } Docker ENV form my API service: KC_BASE_URL=https://mykeycloak.domain/auth <https://mykeycloak.domain/auth> KC_RESOURCE=myapp-api KC_REALM=myrealm KC_SSL_REQUIRED=external When I call a protected API this is logged by adapter: api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5 <http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5> api | 2017-05-30 17:07:41 WARN RequestAuthenticator:164 - SSL is required to authenticate. Remote address <server ip> is secure: false, SSL required for: EXTERNAL . Why does it try to connect via IP and not over https? I clearly specified KC_BASE_URL as HTTPS. And why is REST call logged as http even tho I call it via https? I also parsed the access token and issuer is from https, no trace of any IPs or http anywhere. And now the worst thing: when this WARN happens, adapter returns blank 200! You'd expect at least internal server error or something along the lines. . I lost 9 hours today blaming everything from nginx to my REST API just to finally come down to this. Setting SSL config to none in admin panel and in adapter env makes the whole thing work. But this is clearly not the solution. Hopefully some expert can shed some light on this. Best regards, cen _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>