For Keycloak server to work behind a reverse proxy you need to make sure the X-Forwarded-For and Host headers are includes, there's also some config you need to do in Keycloak itself. See http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding

On 24 May 2016 at 13:34, Guy Bowdler <guybowdler@dorsetnetworks.com> wrote:
Typical, spent two days faffing on this and as soon as I ask the forum,
I find it.   I repointed the kc proxy "auth-server-url" direct at
keycloak and it works fine.  Point it at the nginx proxied version of
keycloak and it dies.   It authenticates, and the user sessions show in
the keycloak console, and SSO works, as I can go to another URL and that
too shows a session but neither page renders when keyclaok is behind
nginx.

anyone had a similar experience?

On 2016-05-24 11:25, Guy Bowdler wrote:
> It might be this, as we have the keycloak instance running behind
> another nginx proxy:
>
> https://issues.jboss.org/browse/KEYCLOAK-2054
>
> If anyone can help confirm this is would be a massive help as the fix
> isn't due out until June 22 and would save unnecessary troubleshooting
>
>
>
> On 2016-05-24 10:48, Guy Bowdler wrote:
>> Hi:)
>>
>> Has anybody seen this error?
>>
>> I have  (http://host.name/appname) --> [KeyCloakProxy:80 -->
>> nginx:8080]
>>   -->  [Web apps on different boxes] where [] denotes on same box.
>> Namespace is hostname/appname where nginx location directives proxy
>> out
>> again to different boxes.
>>
>> I've previously had this working but when I changed the keystore it
>> all
>> broke and haven't found the problem yet.  Troubleshooting steps have
>> been to take out the ssl entirely and try different client settings.
>> If
>> I remove the contraints in the proxy config, it proxies ok to the
>> webpages, and it the constraints are in, I log in ok and then the
>> browser goes blank with a URL like this in the address bar:
>>
>> http://apps.host.name/python?state=0%2F52043b01-976f-464f-8651-ebe295aac2af&code=-_odSdHkDVnID6JhPeKV2QXh_1oub5DDLP2ZLZ6pA_0.ef2bd934-2fd8-48da-a626-106712b687b1
>>
>> The error stack below is from the console of the keycloak proxy.
>> Refreshing the page, simply returns a different error of "NO STATE
>> COOKIE".
>>
>> Thanks in advance for any assistance,
>>
>> kind regards
>>
>> Guy
>>
>>
>> ERROR: failed to turn code into token
>> java.net.ConnectException: Connection refused
>>          at java.net.PlainSocketImpl.socketConnect(Native Method)
>>          at
>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>>          at
>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>>          at
>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>>          at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>          at java.net.Socket.connect(Socket.java:589)
>>          at
>> sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>>          at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)
>>          at
>> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
>>          at
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
>>          at
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
>>          at
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
>>          at
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
>>          at
>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
>>          at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
>>          at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>>          at
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>>          at
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>>          at
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>>          at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>>          at
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>          at
>> org.keycloak.adapters.undertow.UndertowAuthenticationMechanism.authenticate(UndertowAuthenticationMechanism.java:56)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>>          at
>> org.keycloak.proxy.ProxyAuthenticationCallHandler.handleRequest(ProxyAuthenticationCallHandler.java:44)
>>          at
>> org.keycloak.proxy.ConstraintMatcherHandler.handleRequest(ConstraintMatcherHandler.java:89)
>>          at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>          at
>> org.keycloak.adapters.undertow.UndertowPreAuthActionsHandler.handleRequest(UndertowPreAuthActionsHandler.java:54)
>>          at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>          at
>> io.undertow.server.session.SessionAttachmentHandler.handleRequest(SessionAttachmentHandler.java:68)
>>          at
>> io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:94)
>>          at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>          at
>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:232)
>>          at
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
>>          at
>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
>>          at
>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
>>          at
>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
>>          at
>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
>>          at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>
>> May 24, 2016 11:04:30 AM
>> org.keycloak.adapters.OAuthRequestAuthenticator
>> checkStateCookie
>> WARN: No state cookie
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user