Hi Artitz,

a great way to figure out what is sent from the reverse proxy to your keycloak server is to use the undertow request dumper.

From the jboss-cli just add the request dumper filter to your undertow configuration like this:

$KC_HOME/bin/jbpss-cli.sh -c

/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler, module=io.undertow.core)

/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add

/:reload

given your apache config looks something like this:

ProxyRequests Off

ProxyPreserveHost On

ProxyVia On

ProxyPass /auth ajp://127.0.0.1:8009/auth

ProxyPassReverse /auth ajp://127.0.0.1:8009/auth

you should see something like that (forwared info is somewhat rubbish in this example as I am running the hosts on Virtualbox - but you can see this request was put through 2 proxies from local pc 192.168.33.1 to haproxy on 192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):

==============================================================

23:47:20,563 INFO [io.undertow.request.dump] (default task-14)

----------------------------REQUEST---------------------------

URI=/auth/welcome-content/favicon.ico

characterEncoding=null

contentLength=-1

contentType=null

header=Accept=*/*

header=Accept-Language=en-US,en;q=0.8,de;q=0.6

header=Cache-Control=no-cache

header=Accept-Encoding=gzip, deflate, sdch

header=DNT=1

header=Pragma=no-cache

header=X-Original-To=192.168.33.80

header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

header=Authorization=Basic bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=

header=X-Forwarded-Proto=https

header=X-Forwarded-Port=443

header=X-Forwarded-For=192.168.33.1

header=Referer=https://login.vagrant.dev/auth/

header=Host=login.vagrant.dev

locale=[en_US, en, de]

method=GET

protocol=HTTP/1.1

queryString=

remoteAddr=192.168.33.1:0

remoteHost=192.168.33.1

scheme=https

host=login.vagrant.dev

serverPort=443

--------------------------RESPONSE--------------------------

contentLength=627

contentType=application/octet-stream

header=Cache-Control=max-age=2592000

header=X-Powered-By=Undertow/1

header=Server=WildFly/10

Hope this helps diagnosing your issue. Niels

On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu <amaeztu@tesicnor.com> wrote:

I'm using keycloak to securize some Spring based services (with the keycloak spring security adapter). The adapter creates a `/login` endpoint in each of the services which redirects to the keycloak login page and then redirects back to the service when authentication is done. I also have a proxy service which I want to publish in the 80 port and will take care of routing all the requests to each service. The proxy performs a plain FORWARD to the service, but the problem comes when I securize the service with the keycloak adapter.

When I make a request, the adapter redirects to its login endpoint and then to the keycloak auth url. When keycloak sends the redirection, the url shown in the browser is the one from the service and not the one from the proxy. Do I have some choice to tell the adapter I want to redirect back to the first requested url?

--

Aritz Maeztu Otaño
Departamento Desarrollo de Software

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

Aritz Maeztu Otaño Departamento Desarrollo de Software
	Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.