Re: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue

Ran into your issue, found that securing the channel between nginx and keycloak did the trick. —Doug From: <keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Adrian Matei <adrianmatei@gmail.com<mailto:adrianmatei@gmail.com>> Date: Friday, January 29, 2016 at 4:12 AM To: Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>> Cc: keycloak-user <keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue Hi Marek, everything works fine with both fb and google logins via nginx as reverse proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I get either "Invalid parameter:redirect_uri" (the redirect_uri query parameter is generated with http, not https in the navigation bar) before reaching the login form dialog or the redirect loops (fb login) or Error: redirect_uri_mismatch with google login if I manage to get passed that... In the realm client configuration I've added both https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect URIs. Note: the builtin account application can be accessed correctly both with fb and google via https too... I guess the next step would be to try to secure also the channel between nginx and keycloak, but that shouldn't be mandatory right?... Thanks, Adrian On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote: Does login through Google works if you don't use nginx proxy? Is there anything in the log? Marek On 28/01/16 13:23, Adrian Matei wrote: Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the same "This webpage has a redirect loop" message when trying to sign in with Google also... On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote: I suppose you're using Keycloak 1.7? There is known issue related to this NoClassDefFoundError . You can workaround it by edit file $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml and add the line: <module name="org.keycloak.keycloak-broker-core"/> into dependencies section. Same for module $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml Marek On 28/01/16 06:47, Adrian Matei wrote: Hi everyone, I am experimenting "too many redirects"/infinite loops issues in the browser when I try to connect with social providers. I am also getting internal server error on Chrome via google account (Caused by: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext). It might be my configuration, but I did everything "by the book": # realm Require SSL:none #nginx http { gzip on; gzip_proxied any; #gzip_proxied no-cache no-store private expired auth; gzip_types text/plain text/html text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js; #gzip_min_length 1000; server_tokens off; #hides nginx version and OS running on include /etc/nginx/mime.types; upstream tomcat_server { server localhost:8080; } upstream keycloak_server { server localhost:8180; } server { listen 80; server_name podcastmania.ro<http://podcastmania.ro/>; return 301 <https://$host$request_uri> https://$host$request_uri; } server { listen 443 ssl; server_name podcastmania.ro<http://podcastmania.ro/> <http://www.podcastmania.ro> www.podcastmania.ro<http://www.podcastmania.ro>; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; location / { root /opt/tomcat/webapps/ROOT; try_files $uri /maintenance.html @tomcat; } location @tomcat { proxy_pass <http://tomcat_server/> http://tomcat_server; proxy_set_header Host $host; #to change the "Host" header set by default to $proxy_host to $host - the originating host request proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /auth/ { root /opt/keycloak/standalone/configuration/themes/keycloak/; try_files $uri @keycloak; } location @keycloak { proxy_pass <http://keycloak_server/> http://keycloak_server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; } } # standalone.xml <subsystem xmlns="urn:jboss:domain:undertow:2.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}"> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> <socket-binding name="http" port="${jboss.http.port:8080}"/> <socket-binding name="https" port="${jboss.https.port:8443}"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> <socket-binding name="proxy-https" port="443"/> <outbound-socket-binding name="mail-smtp"> <remote-destination host="localhost" port="25"/> </outbound-socket-binding> </socket-binding-group> # app:spring security configuration <context:component-scan base-package="org.keycloak.adapters.springsecurity" /><security:authentication-manager alias="authenticationManager"> <security:authentication-provider ref="keycloakAuthenticationProvider" /></security:authentication-manager><bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean"> <constructor-arg value="classpath:keycloak.json" /></bean><bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" /><bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" /><bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" /><bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter"> <constructor-arg name="authenticationManager" ref="authenticationManager" /></bean><bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler"> <constructor-arg ref="adapterDeploymentContext" /></bean><bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg name="logoutSuccessUrl" value="/" /> <constructor-arg name="handlers"> <list> <ref bean="keycloakLogoutHandler" /> <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> </list> </constructor-arg> <property name="logoutRequestMatcher"> <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <constructor-arg name="pattern" value="/sso/logout**" /> <constructor-arg name="httpMethod" value="GET" /> </bean> </property></bean><security:http auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint"> <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" /> <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" /> <security:intercept-url pattern="/users/registration" access="permitAll"/> <security:intercept-url pattern="/users/registration/confirm-email" access="permitAll"/> <security:intercept-url pattern="/users/registration/confirmed" access="permitAll"/> <security:intercept-url pattern="/users/password-forgotten" access="permitAll"/> <security:intercept-url pattern="/users/password-forgotten/confirm-email" access="permitAll"/> <security:intercept-url pattern="/users/password-forgotten/confirmed" access="permitAll"/> <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/> <security:intercept-url pattern="/**" access="permitAll"/> <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /></security:http> Has anyone faced similar issues? Thanks, Adrian _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user