7:27 a.m.
Hello,
I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy
(nginx). The WildFly is configured for proxying according to the Keycloak
guide and the proxy sends the needed custom HTTP headers.
I have a public SSL secured domain and nginx proxying requests to internal
WildFly server. I would like to use URL: https://domain.foo/sso/ to access
the Keycloak (internal WildFly). I guess the context path (sso/) is
important here.
Accessing the address I can reach the Keycloak default welcome page.
However, a GET https://domain.foo/sso/admin results in 302 to Location:
https://domain.foo/admin/master/console/. Obviously this redirect fails
because its Location misses the needed context path (sso/). Adding the
context path to a request manually results in a 200 but following resources
fail to download because of the missing context path part of URL.
Is my configuration wrong? Is there a way how the original base URL can be
set? Is it even possible to have it behind a reverse proxy not running at
root context? Is the origin detection broken?
Thanks in advance
Andy
7:44 a.m.
Looks like it may be a bug caused by context-path on the server being
different than context-path on the reverse proxy.
Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in
standalone.xml to "sso". If that works please create a bug.
On 13 January 2016 at 14:27, Andy Yar <andyyar66(a)gmail.com> wrote:
Hello,
I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy
(nginx). The WildFly is configured for proxying according to the Keycloak
guide and the proxy sends the needed custom HTTP headers.
I have a public SSL secured domain and nginx proxying requests to internal
WildFly server. I would like to use URL: https://domain.foo/sso/ to
access the Keycloak (internal WildFly). I guess the context path (sso/) is
important here.
Accessing the address I can reach the Keycloak default welcome page.
However, a GET https://domain.foo/sso/admin results in 302 to Location:
https://domain.foo/admin/master/console/. Obviously this redirect fails
because its Location misses the needed context path (sso/). Adding the
context path to a request manually results in a 200 but following resources
fail to download because of the missing context path part of URL.
Is my configuration wrong? Is there a way how the original base URL can be
set? Is it even possible to have it behind a reverse proxy not running at
root context? Is the origin detection broken?
Thanks in advance
Andy
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:07 p.m.
OK, I forgot to mention I used to have the Keycloak set to run on the root
context. So I removed the root context mapping set the "standalone.xml" to
"sso" and customized the nginx settings accordingly.
Now I am able to enter the admin/, although redirecting to the login form
for the master realm ends with an error - "Invalid parameter:
redirect_uri". Apparently the context path "sso/" is ignored by a security
pattern.
Log dump:
2016-01-13 17:06:21,858 DEBUG
[org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-15)
replacing relative valid redirect with:
https://domain.foo/auth/admin/master/console/*
2016-01-13 17:06:21,876 WARN [org.keycloak.events] (default task-15)
type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
userId=null, ipAddress=x.x.x.x, error=invalid_redirect_uri,
response_type=code, redirect_uri=
https://domain.foo/sso/admin/master/console/, response_mode=fragment
Thanks
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&...
Tento
email byl odeslán z počítače bez virů, chráněného programem Avast.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&...
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Wed, Jan 13, 2016 at 2:44 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Looks like it may be a bug caused by context-path on the server
being
different than context-path on the reverse proxy.
Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in
standalone.xml to "sso". If that works please create a bug.
On 13 January 2016 at 14:27, Andy Yar <andyyar66(a)gmail.com> wrote:
> Hello,
> I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy
> (nginx). The WildFly is configured for proxying according to the Keycloak
> guide and the proxy sends the needed custom HTTP headers.
>
> I have a public SSL secured domain and nginx proxying requests to
> internal WildFly server. I would like to use URL: https://domain.foo/sso/
> to access the Keycloak (internal WildFly). I guess the context path (sso/)
> is important here.
>
> Accessing the address I can reach the Keycloak default welcome page.
> However, a GET https://domain.foo/sso/admin results in 302 to Location:
> https://domain.foo/admin/master/console/. Obviously this redirect fails
> because its Location misses the needed context path (sso/). Adding the
> context path to a request manually results in a 200 but following resources
> fail to download because of the missing context path part of URL.
>
> Is my configuration wrong? Is there a way how the original base URL can
> be set? Is it even possible to have it behind a reverse proxy not running
> at root context? Is the origin detection broken?
>
> Thanks in advance
> Andy
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3272
days inactive
3272
days old
2 comments
2 participants
participants (2)
-
Andy Yar -
Stian Thorgersen