Thanks for this reference.
But it still doesn't solve my problem.
I see I need to describe a little more, what my setup is and what my
problem is.
We use HAProxy.
I have one URL for my keycloak, say:
https://keycloak.x.org
I have another URL for my service, say:
https://service.x.org
These URLs go to HAProxy, which offloads SSL and then directs traffic as
HTTP to the servers, which are run in a Kubernetes Cluster.
My keycloak.json file stored in the service is as follow:
{
"realm": "myrealm",
"auth-server-url": "https://keycloak.x.org/auth",
"ssl-required": "all",
"resource": "my-client",
"principal-attribute": "preferred_username",
"public-client": true,
"truststore" : "/truststore.jks",
"truststore-password" : "mytruststorepassword"
}
I open the service: "https://service.x.org/somepage" in my browser.
I get redirected to Keycloak for authentication with this URL:
https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/auth?r...
Keycloak is accessed via https, as stated in the keycloak.json file.
But as you can see, the embedded redirect_uri is http, not https.
After Keycloak authenticated the user, keycloak issues a redirect to
http://service.x.org/somepage and not
https://service.x.org/somepage
So after authentication my service is access via http and not https anymore.
Keycloaks standalone.xml is configured as described in the setup for
Apache2 you sent me:
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener proxy-address-forwarding="true"
name="default"
socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header"
header-name="Server"
header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
....
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
....
</socket-binding-group>
Does that make things clearer?
What am I missing?!
Thanks for your help,
Malte
On 28 November 2017 at 11:07, Matthew Broadhead <
matthew.broadhead(a)nbmlaw.co.uk> wrote:
which proxy are you using? this guide helped me proxy behind
apache2
http://markus.co/howto/2017/07/27/keycloak-apache.html
On 28/11/2017 10:57, Malte Finsterwalder wrote:
> Thanks for your help, but I can't find anything helpfull in the docs. I
> scanned the complete documentation and read a lot of it.
> Could you point me to a particular chapter?
>
> To clarify: I don't have a problem with Keycloak being behind a proxy,
that
> offloads SSL.
>
> I have a problem with the service being behind a proxy. The service
itself
> is access via HTTP, since SSL is offloaded on the Proxy.
> The client adapter then creates a redirect URL as HTTP, not HTTPS and
> passes that to Keycloak. So when Keycloak redirects back to the service,
it
> uses the HTTP URL provided by the client adapter, which is "wrong".
>
> Thanks,
> Malte
>
> On 27 November 2017 at 20:26, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
>
>> Read the docs. There's a section on how to configure Keycloak properly
>> when you're using a reverse proxy
>>
>> On 27 November 2017 at 17:31, Malte Finsterwalder <inofi(a)gmx.net>
wrote:
>>
>>> Hi there,
>>>
>>> I have a service running in a JBoss server, that I want to secure via
the
>>> keycloak adapter.
>>> The server is behind a proxy, that offloads SSL, so the server itself
gets
>>> traffic as http.
>>> When the server redirects to keycloak for authentication, the redirect
URL
>>> supplied to keycloak is http, not https. How can I ensure, that a
redirect
>>> URL is an https URL?
>>>
>>> Greetings,
>>> Malte
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user