Malte,
As the guys have already noticed, you need to make sure that your
*service* is proxy-aware, i.e. it has to be configured to recognize htt
as a legitimate external address.
If your service is deployed to JBoss/Wildfly, you should do the
following on the target server (not Keycloak):
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<server
name="default-server">
<http-listener name="default"
socket-binding="http"
redirect-socket="https"
proxy-address-forwarding="true"
enable-
http2="true"/>
...
</server>
...
</subsystem>
Just FYI, for Tomcat/TomEE this is done like that:
<Service name="Catalina">
<Connector
protocol="HTTP/1.1"
port="8085"
...
redirectPort="8443"
scheme="https" secure="true"
proxyName="service.x.org"
proxyPort="443"
/>
....
</Service>
Also make sure that on a HAProxy side forwarding of X-Forwarded-*
headers is turned on.
Regards,
Dmitry
В Tue, 28/11/2017 в 13:28 +0100, Malte Finsterwalder пишет:
Thanks for this reference.
But it still doesn't solve my problem.
I see I need to describe a little more, what my setup is and what my
problem is.
We use HAProxy.
I have one URL for my keycloak, say:
https://keycloak.x.org
I have another URL for my service, say:
https://service.x.org
These URLs go to HAProxy, which offloads SSL and then directs traffic
as
HTTP to the servers, which are run in a Kubernetes Cluster.
My keycloak.json file stored in the service is as follow:
{
"realm": "myrealm",
"auth-server-url": "https://keycloak.x.org/auth",
"ssl-required": "all",
"resource": "my-client",
"principal-attribute": "preferred_username",
"public-client": true,
"truststore" : "/truststore.jks",
"truststore-password" : "mytruststorepassword"
}
I open the service: "https://service.x.org/somepage" in my browser.
I get redirected to Keycloak for authentication with this URL:
https://keycloak.x.org/auth/realms/myrealm/protocol/openid-connect/au
th?response_type=code&client_id=my-
client&redirect_uri=http%3A%2F%2Fservice.x.org%2Fsomepage%2F&state=..
..&login=true&scope=openid
Keycloak is accessed via https, as stated in the keycloak.json file.
But as you can see, the embedded redirect_uri is http, not https.
After Keycloak authenticated the user, keycloak issues a redirect to
http://service.x.org/somepage and not
https://service.x.org/somepage
So after authentication my service is access via http and not https
anymore.
Keycloaks standalone.xml is configured as described in the setup for
Apache2 you sent me:
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener proxy-address-forwarding="true"
name="default"
socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-
name="Server"
header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
....
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
....
</socket-binding-group>
Does that make things clearer?
What am I missing?!
Thanks for your help,
Malte
On 28 November 2017 at 11:07, Matthew Broadhead <
matthew.broadhead(a)nbmlaw.co.uk> wrote:
> which proxy are you using? this guide helped me proxy behind
> apache2
>
http://markus.co/howto/2017/07/27/keycloak-apache.html
>
> On 28/11/2017 10:57, Malte Finsterwalder wrote:
> > Thanks for your help, but I can't find anything helpfull in the
> > docs. I
> > scanned the complete documentation and read a lot of it.
> > Could you point me to a particular chapter?
> >
> > To clarify: I don't have a problem with Keycloak being behind a
> > proxy,
>
> that
> > offloads SSL.
> >
> > I have a problem with the service being behind a proxy. The
> > service
>
> itself
> > is access via HTTP, since SSL is offloaded on the Proxy.
> > The client adapter then creates a redirect URL as HTTP, not HTTPS
> > and
> > passes that to Keycloak. So when Keycloak redirects back to the
> > service,
>
> it
> > uses the HTTP URL provided by the client adapter, which is
> > "wrong".
> >
> > Thanks,
> > Malte
> >
> > On 27 November 2017 at 20:26, Stian Thorgersen <sthorger(a)redhat.c
> > om>
>
> wrote:
> >
> > > Read the docs. There's a section on how to configure Keycloak
> > > properly
> > > when you're using a reverse proxy
> > >
> > > On 27 November 2017 at 17:31, Malte Finsterwalder <inofi(a)gmx.ne
> > > t>
>
> wrote:
> > >
> > > > Hi there,
> > > >
> > > > I have a service running in a JBoss server, that I want to
> > > > secure via
>
> the
> > > > keycloak adapter.
> > > > The server is behind a proxy, that offloads SSL, so the
> > > > server itself
>
> gets
> > > > traffic as http.
> > > > When the server redirects to keycloak for authentication, the
> > > > redirect
>
> URL
> > > > supplied to keycloak is http, not https. How can I ensure,
> > > > that a
>
> redirect
> > > > URL is an https URL?
> > > >
> > > > Greetings,
> > > > Malte
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user