Re: [keycloak-user] Fwd: Re: Redirection issue with proxy behind keycloak

Tuesday, 31 May 2016

I've got some Spring Boot application instances with embeded Tomcat 
servlet containers. Tomcat has a similar system to Wildfly for request 
dumpering, that's what I have enabled for getting the trace below. In 
short words that's the behaviour I'm able to see:

1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service (8083 
port) : A forward request where X-forwarded headers are included

2. Organization Service (localhost:8083) : Looks for a token and if it's 
not available, the keycloak adapter redirects to the /sso/login of the 
same service (Here the traceability from the proxy gets losts)

3. localhost:8083/sso/login: Redirects to the keycloak wildfly server, 
saving the requested url

4. Keycloak login: The user performs the authentication and the 
redirectUri is localhost:8083/sso/login. Later on, the login endpoint 
redirects the user to the url requested in point 2, not the first one 
from the proxy.

I only have this problem when my organization service needs to verify 
the token (or a token doesn't exist) using the keycloak adapter. When 
the /sso/login endpoint is not requested, everything is working 
properly. Hope I've explained it well!

31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
...
 Where is your app deployed? If it's on WildFly you can follow the
same 
 steps used to configure reverse proxy for Keycloak Server to configure 
 WildFly. Check if getRequestURL returns the correct URL in your app.

 On 30 May 2016 at 15:08, Aritz Maeztu <amaeztu(a)tesicnor.com 
 <mailto:amaeztu@tesicnor.com>> wrote:

     -------- Birbidalitako mezua --------
     Gaia: 	Re: [keycloak-user] Redirection issue with proxy behind
     keycloak
     Data: 	Mon, 30 May 2016 13:28:21 +0200
     Nork: 	Aritz Maeztu <amaeztu(a)tesicnor.com&gt;
     <mailto:amaeztu@tesicnor.com>
     Nori: 	stian(a)redhat.com <mailto:stian@redhat.com>
     CC: 	Niels Bertram <nielsbne(a)gmail.com&gt;
     <mailto:nielsbne@gmail.com>, keycloak-user
     <keycloak-user(a)lists.jboss.org&gt;
     <mailto:keycloak-user@lists.jboss.org>, Scott Rossillo
     <srossillo(a)smartling.com&gt; <mailto:srossillo@smartling.com>

     I've done all the traceability from the proxy server till the
     login page is displayed:

     First step, /organization/organizations is requested, so the proxy
     server knows it has to be forwarded to the 8083 port (the one for
     the organization service). That's the first request received by my
     application's Tomcat:

     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     START TIME =30-may-2016 13:01:18
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     requestURI=/organizations
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9           authType=null
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 
     characterEncoding=UTF-8
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9      contentLength=-1
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9        contentType=null
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9        contextPath=
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=accept-language=es-ES,es;q=0.8
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=x-forwarded-host=mies-057:8765
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=x-forwarded-prefix=/organization
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=upgrade-insecure-requests=1
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=accept-encoding=gzip
     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9

header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
     Safari/537.36
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=netflix.nfhttpclient.version=1.0
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=x-netflix-httpclientname=organization
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=host=mies-057:8083
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=connection=Keep-Alive
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9             locale=es_ES
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9             method=GET
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9           pathInfo=null
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9           protocol=HTTP/1.1
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9        queryString=null
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     remoteAddr=192.168.56.1
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     remoteHost=192.168.56.1
     2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9         remoteUser=null
     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     requestedSessionId=null
     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9             scheme=http
     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9         serverName=mies-057
     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9         serverPort=8083
     2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     servletPath=/organizations
     2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9           isSecure=false
     2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     ------------------=--------------------------------------------

     Here x-forwarded-host is mies-057:8765 (the proxy server) and
     x-forwarded-prefix is /organization. So the original request is
     kept in the headers. Well, now my service (8083) tries to check
     for authorization via the /sso/login endpoint from the keycloak
     spring security adapter:

     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
     o.k.a.s.management.HttpSessionManager    : Session created:
     CDCA7AD4439DE94BD0B3B5803DAA0752
     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
     k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login
     URI /sso/login
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     ------------------=--------------------------------------------
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9           authType=null
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9        contentType=null
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=X-Content-Type-Options=nosniff
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=X-XSS-Protection=1; mode=block
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=Pragma=no-cache
     2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=Expires=0
     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=X-Frame-Options=DENY
     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
     Path=/; HttpOnly
     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     header=Location=http://mies-057:8083/sso/login
     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9         remoteUser=null
     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-9             status=302
     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     END TIME =30-may-2016 13:01:18
     2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
     ===============================================================
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     START TIME =30-may-2016 13:01:18
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     requestURI=/sso/login
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10           authType=null
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 
     characterEncoding=UTF-8
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10      contentLength=-1
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10        contentType=null
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10        contextPath=
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
     2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     header=host=mies-057:8083
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     header=connection=keep-alive
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10

header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     header=upgrade-insecure-requests=1
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
     Safari/537.36
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     header=accept-encoding=gzip, deflate, sdch
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     header=accept-language=es-ES,es;q=0.8
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10             locale=es_ES
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10             method=GET
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10           pathInfo=null
     2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     protocol=HTTP/1.1
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10        queryString=null
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     remoteAddr=192.168.56.1
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     remoteHost=192.168.56.1
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10         remoteUser=null
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10             scheme=http
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     serverName=mies-057
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10         serverPort=8083
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     servletPath=/sso/login
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        :
     http-nio-8083-exec-10           isSecure=false
     2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
     o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
     ------------------=--------------------------------------------
     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
     o.k.adapters.PreAuthActionsHandler       : adminRequest
     http://mies-057:8083/sso/login
     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
     f.KeycloakAuthenticationProcessingFilter : Request is to process
     authentication
     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
     f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak
     authentication
     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
     o.k.adapters.RequestAuthenticator        : --> authenticate()
     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
     o.k.adapters.RequestAuthenticator        : try bearer
     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
     o.k.adapters.RequestAuthenticator        : try oauth
     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
     o.k.a.s.token.SpringSecurityTokenStore   : Checking if

org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@d328c2d
     is cached
     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
     o.k.adapters.OAuthRequestAuthenticator   : there was no code
     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
     o.k.adapters.OAuthRequestAuthenticator   : redirecting to auth server
     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
     o.k.adapters.OAuthRequestAuthenticator   : callback uri:
     http://mies-057:8083/sso/login
     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
     f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
     o.k.adapters.OAuthRequestAuthenticator   : Sending redirect to
     login page:

http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-conn...

     As it's shown in the logs, the X-forwarded logs are not kept by
     the keycloak adapter (look at the lines below
     k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login
     URI /sso/login). So could it be the proxy server itself being
     properly configured but the keycloak adapter losing the original
     headers while performing the redirection?

     I've also set up the request dumper in the undertow server as
     Niels suggested, but obviously, X-forwarded headers are not
     reaching the keycloak server..

     Thanks for your time, again ;-)

     25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>     You need the Host and X-Forwarded-For headers to be included and
>     there's also some config to be done on the Keycloak server (see
>    
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...)
>
>     On 24 May 2016 at 08:46, Aritz Maeztu <amaeztu(a)tesicnor.com
>     <mailto:amaeztu@tesicnor.com>> wrote:
>
>         Hi Niels and Scott. First of all, thank you very much for
>         your help. I'm currently using Zuul (Spring Cloud) as the
>         reverse proxy. All the services are registered in a discovery
>         service called Eureka and then Zuul looks for the service id
>         there and performs de redirection. I read about X-Forwarded
>         headers, but I thought it might result in a security issue if
>         not included, not that it could affect the redirection process.
>
>         As Scott says, I suppose the Host and the X-Real-Ip headers
>         are the relevant ones here, so I guess I should instruct Zuul
>         to send them when the service is addressed (however I wonder
>         why they are not already being sent, as Zuul is a proxy
>         service, all in all).
>
>         Here I include a preview of the first redirection made to the
>         keycloak login page, which shows the request headers sent to
>         the service /login endpoint (at port 8081 in localhost):
>
>         https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>
>         24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>         Hi Artitz,
>>
>>         a great way to figure out what is sent from the reverse
>>         proxy to your keycloak server is to use the undertow request
>>         dumper.
>>
>>         From the jboss-cli just add the request dumper filter to
>>         your undertow configuration like this:
>>
>>         $KC_HOME/bin/jbpss-cli.sh -c
>>
>>        
/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>>         module=io.undertow.core)
>>
>>        
/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>
>>         /:reload
>>
>>         given your apache config looks something like this:
>>
>>           ProxyRequests Off
>>         ProxyPreserveHost On
>>           ProxyVia On
>>
>>           ProxyPass /auth ajp://127.0.0.1:8009/auth
>>         <http://127.0.0.1:8009/auth>
>>         ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>>         <http://127.0.0.1:8009/auth>
>>
>>
>>         you should see something like that (forwared info is
>>         somewhat rubbish in this example as I am running the hosts
>>         on Virtualbox - but you can see this request was put through
>>         2 proxies from local pc 192.168.33.1 to haproxy on
>>         192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):
>>
>>         ==============================================================
>>         23:47:20,563 INFO  [io.undertow.request.dump] (default task-14)
>>         ----------------------------REQUEST---------------------------
>>          URI=/auth/welcome-content/favicon.ico
>>          characterEncoding=null
>>          contentLength=-1
>>          contentType=null
>>         header=Accept=*/*
>>         header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>         header=Cache-Control=no-cache
>>         header=Accept-Encoding=gzip, deflate, sdch
>>         header=DNT=1
>>         header=Pragma=no-cache
>>         header=X-Original-To=192.168.33.80
>>         header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>         AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
>>         Safari/537.36
>>         header=Authorization=Basic
>>         bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>         header=X-Forwarded-Proto=https
>>         header=X-Forwarded-Port=443
>>         header=X-Forwarded-For=192.168.33.1
>>         header=Referer=https://login.vagrant.dev/auth/
>>         header=Host=login.vagrant.dev
>>         locale=[en_US, en, de]
>>         method=GET
>>         protocol=HTTP/1.1
>>          queryString=
>>         remoteAddr=192.168.33.1:0 <http://192.168.33.1:0>
>>         remoteHost=192.168.33.1
>>         scheme=https
>>         host=login.vagrant.dev
>>         serverPort=443
>>         --------------------------RESPONSE--------------------------
>>          contentLength=627
>>          contentType=application/octet-stream
>>         header=Cache-Control=max-age=2592000
>>         header=X-Powered-By=Undertow/1
>>         header=Server=WildFly/10
>>
>>
>>         Hope this helps diagnosing your issue. Niels
>>
>>         On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu
>>         <amaeztu(a)tesicnor.com <mailto:amaeztu@tesicnor.com>> wrote:
>>
>>             I'm using keycloak to securize some Spring based
>>             services (with the keycloak spring security adapter).
>>             The adapter creates a `/login` endpoint in each of the
>>             services which redirects to the keycloak login page and
>>             then redirects back to the service when authentication
>>             is done. I also have a proxy service which I want to
>>             publish in the 80 port and will take care of routing all
>>             the requests to each service. The proxy performs a plain
>>             FORWARD to the service, but the problem comes when I
>>             securize the service with the keycloak adapter.
>>
>>             When I make a request, the adapter redirects to its
>>             login endpoint and then to the keycloak auth url. When
>>             keycloak sends the redirection, the url shown in the
>>             browser is the one from the service and not the one from
>>             the proxy. Do I have some choice to tell the adapter I
>>             want to redirect back to the first requested url?
>>
>>
>>             -- 
>>             Aritz Maeztu Otaño
>>             Departamento Desarrollo de Software
>>            
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>
>>             <http://www.tesicnor.com> 	
>>
>>             Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain
>>             (Navarra)
>>             Telf.: 948 21 40 40
>>             Fax.: 948 21 40 41
>>
>>             Antes de imprimir este e-mail piense bien si es
>>             necesario hacerlo: El medioambiente es cosa de todos.
>>
>>
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user(a)lists.jboss.org
>>             <mailto:keycloak-user@lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>         -- 
>         Aritz Maeztu Otaño
>         Departamento Desarrollo de Software
>         <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>         <http://www.tesicnor.com> 	
>
>         Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>         Telf.: 948 21 40 40
>         Fax.: 948 21 40 41
>
>         Antes de imprimir este e-mail piense bien si es necesario
>         hacerlo: El medioambiente es cosa de todos.
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user(a)lists.jboss.org
>         <mailto:keycloak-user@lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

     -- 
     Aritz Maeztu Otaño
     Departamento Desarrollo de Software
     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
     <http://www.tesicnor.com> 	

     Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
     Telf.: 948 21 40 40
     Fax.: 948 21 40 41

     Antes de imprimir este e-mail piense bien si es necesario hacerlo:
     El medioambiente es cosa de todos.

     _______________________________________________
     keycloak-user mailing list
     keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
     https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Aritz Maeztu Otaño
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Fwd: Re: Redirection issue with proxy behind keycloak