[keycloak-user] Fwd: Re: Redirection issue with proxy behind keycloak

Monday, 30 May 2016

-------- Birbidalitako mezua --------
Gaia: 	Re: [keycloak-user] Redirection issue with proxy behind keycloak
Data: 	Mon, 30 May 2016 13:28:21 +0200
Nork: 	Aritz Maeztu <amaeztu(a)tesicnor.com&gt;
Nori: 	stian(a)redhat.com
CC: 	Niels Bertram <nielsbne(a)gmail.com&gt;, keycloak-user 
<keycloak-user(a)lists.jboss.org&gt;, Scott Rossillo <srossillo(a)smartling.com&gt;

I've done all the traceability from the proxy server till the login page 
is displayed:

First step, /organization/organizations is requested, so the proxy 
server knows it has to be forwarded to the 8083 port (the one for the 
organization service). That's the first request received by my 
application's Tomcat:

2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 START 
TIME        =30-may-2016 13:01:18
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         
requestURI=/organizations
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9           authType=null
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9  
characterEncoding=UTF-8
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9      
contentLength=-1
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        
contentType=null
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        
contextPath=
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=accept-language=es-ES,es;q=0.8
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=x-forwarded-host=mies-057:8765
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=x-forwarded-prefix=/organization
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=upgrade-insecure-requests=1
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=accept-encoding=gzip
2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=user-agent=Mozilla/5.0 (Windows 
NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/50.0.2661.102 Safari/537.36
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=netflix.nfhttpclient.version=1.0
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=x-netflix-httpclientname=organization
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=host=mies-057:8083
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=connection=Keep-Alive
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             locale=es_ES
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             method=GET
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9           pathInfo=null
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9           protocol=HTTP/1.1
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        
queryString=null
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         
remoteAddr=192.168.56.1
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         
remoteHost=192.168.56.1
2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         
remoteUser=null
2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
requestedSessionId=null
2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             scheme=http
2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         
serverName=mies-057
2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         
serverPort=8083
2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        
servletPath=/organizations
2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9           isSecure=false
2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
------------------=--------------------------------------------

Here x-forwarded-host is mies-057:8765 (the proxy server) and 
x-forwarded-prefix is /organization. So the original request is kept in 
the headers. Well, now my service (8083) tries to check for 
authorization via the /sso/login endpoint from the keycloak spring 
security adapter:

2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9] 
o.k.a.s.management.HttpSessionManager    : Session created: 
CDCA7AD4439DE94BD0B3B5803DAA0752
2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9] 
k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI 
/sso/login
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
------------------=--------------------------------------------
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9           authType=null
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        
contentType=null
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=X-Content-Type-Options=nosniff
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=X-XSS-Protection=1; mode=block
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=Pragma=no-cache
2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=Expires=0
2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             header=X-Frame-Options=DENY
2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752; Path=/; 
HttpOnly
2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             
header=Location=http://mies-057:8083/sso/login
2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         
remoteUser=null
2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-9             status=302
2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 END 
TIME          =30-may-2016 13:01:18
2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
===============================================================
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 START 
TIME        =30-may-2016 13:01:18
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         
requestURI=/sso/login
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10           authType=null
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10  
characterEncoding=UTF-8
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10      
contentLength=-1
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        
contentType=null
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        
contextPath=
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10             header=host=mies-057:8083
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10             header=connection=keep-alive
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
header=upgrade-insecure-requests=1
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10             header=accept-encoding=gzip, deflate, sdch
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
header=accept-language=es-ES,es;q=0.8
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10             locale=es_ES
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10             method=GET
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10           pathInfo=null
2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10           protocol=HTTP/1.1
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        
queryString=null
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         
remoteAddr=192.168.56.1
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         
remoteHost=192.168.56.1
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         
remoteUser=null
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10             scheme=http
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         
serverName=mies-057
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         
serverPort=8083
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        
servletPath=/sso/login
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : 
http-nio-8083-exec-10           isSecure=false
2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] 
o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
------------------=--------------------------------------------
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10] 
o.k.adapters.PreAuthActionsHandler       : adminRequest 
http://mies-057:8083/sso/login
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10] 
f.KeycloakAuthenticationProcessingFilter : Request is to process 
authentication
2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10] 
f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak 
authentication
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10] 
o.k.adapters.RequestAuthenticator        : --> authenticate()
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10] 
o.k.adapters.RequestAuthenticator        : try bearer
2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10] 
o.k.adapters.RequestAuthenticator        : try oauth
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] 
o.k.a.s.token.SpringSecurityTokenStore   : Checking if 
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@d328c2d

is cached
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] 
o.k.adapters.OAuthRequestAuthenticator   : there was no code
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] 
o.k.adapters.OAuthRequestAuthenticator   : redirecting to auth server
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] 
o.k.adapters.OAuthRequestAuthenticator   : callback uri: 
http://mies-057:8083/sso/login
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] 
f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] 
o.k.adapters.OAuthRequestAuthenticator   : Sending redirect to login 
page: 
http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-conn...

As it's shown in the logs, the X-forwarded logs are not kept by the 
keycloak adapter (look at the lines below 
k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI 
/sso/login). So could it be the proxy server itself being properly 
configured but the keycloak adapter losing the original headers while 
performing the redirection?

I've also set up the request dumper in the undertow server as Niels 
suggested, but obviously, X-forwarded headers are not reaching the 
keycloak server..

Thanks for your time, again ;-)

25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
...
 You need the Host and X-Forwarded-For headers to be included and 
 there's also some config to be done on the Keycloak server (see 

http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...)

 On 24 May 2016 at 08:46, Aritz Maeztu <amaeztu(a)tesicnor.com 
 <mailto:amaeztu@tesicnor.com>> wrote:

     Hi Niels and Scott. First of all, thank you very much for your
     help. I'm currently using Zuul (Spring Cloud) as the reverse
     proxy. All the services are registered in a discovery service
     called Eureka and then Zuul looks for the service id there and
     performs de redirection. I read about X-Forwarded headers, but I
     thought it might result in a security issue if not included, not
     that it could affect the redirection process.

     As Scott says, I suppose the Host and the X-Real-Ip headers are
     the relevant ones here, so I guess I should instruct Zuul to send
     them when the service is addressed (however I wonder why they are
     not already being sent, as Zuul is a proxy service, all in all).

     Here I include a preview of the first redirection made to the
     keycloak login page, which shows the request headers sent to the
     service /login endpoint (at port 8081 in localhost):

     https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0

     24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>     Hi Artitz,
>
>     a great way to figure out what is sent from the reverse proxy to
>     your keycloak server is to use the undertow request dumper.
>
>     From the jboss-cli just add the request dumper filter to your
>     undertow configuration like this:
>
>     $KC_HOME/bin/jbpss-cli.sh -c
>
>    
/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>     module=io.undertow.core)
>
>    
/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>
>     /:reload
>
>     given your apache config looks something like this:
>
>     ProxyRequests Off
>     ProxyPreserveHost On
>     ProxyVia On
>
>     ProxyPass /auth ajp://127.0.0.1:8009/auth
>     <http://127.0.0.1:8009/auth>
>     ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>     <http://127.0.0.1:8009/auth>
>
>
>     you should see something like that (forwared info is somewhat
>     rubbish in this example as I am running the hosts on Virtualbox -
>     but you can see this request was put through 2 proxies from local
>     pc 192.168.33.1 to haproxy on 192.168.33.80 and then apache
>     reverse proxy on 192.168.33.81 ):
>
>     ==============================================================
>     23:47:20,563 INFO  [io.undertow.request.dump] (default task-14)
>     ----------------------------REQUEST---------------------------
>      URI=/auth/welcome-content/favicon.ico
>      characterEncoding=null
>      contentLength=-1
>      contentType=null
>           header=Accept=*/*
>     header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>           header=Cache-Control=no-cache
>           header=Accept-Encoding=gzip, deflate, sdch
>           header=DNT=1
>           header=Pragma=no-cache
>           header=X-Original-To=192.168.33.80
>           header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
>     Safari/537.36
>           header=Authorization=Basic
>     bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>           header=X-Forwarded-Proto=https
>           header=X-Forwarded-Port=443
>     header=X-Forwarded-For=192.168.33.1
>           header=Referer=https://login.vagrant.dev/auth/
>           header=Host=login.vagrant.dev
>           locale=[en_US, en, de]
>           method=GET
>         protocol=HTTP/1.1
>      queryString=
>       remoteAddr=192.168.33.1:0 <http://192.168.33.1:0>
>       remoteHost=192.168.33.1
>           scheme=https
>             host=login.vagrant.dev
>       serverPort=443
>     --------------------------RESPONSE--------------------------
>      contentLength=627
>      contentType=application/octet-stream
>     header=Cache-Control=max-age=2592000
>           header=X-Powered-By=Undertow/1
>           header=Server=WildFly/10
>
>
>     Hope this helps diagnosing your issue. Niels
>
>     On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu
>     <amaeztu(a)tesicnor.com&gt; wrote:
>
>         I'm using keycloak to securize some Spring based services
>         (with the keycloak spring security adapter). The adapter
>         creates a `/login` endpoint in each of the services which
>         redirects to the keycloak login page and then redirects back
>         to the service when authentication is done. I also have a
>         proxy service which I want to publish in the 80 port and will
>         take care of routing all the requests to each service. The
>         proxy performs a plain FORWARD to the service, but the
>         problem comes when I securize the service with the keycloak
>         adapter.
>
>         When I make a request, the adapter redirects to its login
>         endpoint and then to the keycloak auth url. When keycloak
>         sends the redirection, the url shown in the browser is the
>         one from the service and not the one from the proxy. Do I
>         have some choice to tell the adapter I want to redirect back
>         to the first requested url?
>
>
>         -- 
>         Aritz Maeztu Otaño
>         Departamento Desarrollo de Software
>         <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>         <http://www.tesicnor.com> 	
>
>         Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>         Telf.: 948 21 40 40
>         Fax.: 948 21 40 41
>
>         Antes de imprimir este e-mail piense bien si es necesario
>         hacerlo: El medioambiente es cosa de todos.
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user(a)lists.jboss.org
>         <mailto:keycloak-user@lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

     -- 
     Aritz Maeztu Otaño
     Departamento Desarrollo de Software
     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
     <http://www.tesicnor.com> 	

     Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
     Telf.: 948 21 40 40
     Fax.: 948 21 40 41

     Antes de imprimir este e-mail piense bien si es necesario hacerlo:
     El medioambiente es cosa de todos.

     _______________________________________________
     keycloak-user mailing list
     keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
     https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Aritz Maeztu Otaño
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[keycloak-user] Fwd: Re: Redirection issue with proxy behind keycloak