Hi Michael !
Before we do any code change , could you check if your answer is not in the
following thread ?
Looks like SpringSec should handle correctly the x-forwarded-proto and host
headers ...
On Thu, Dec 15, 2016 at 9:10 AM, Michael Furman <michael_furman(a)hotmail.com>
wrote:
HI Sebastien,
(I have changed the subject since the root cause of the problem is
different).
I have debugged the code and I have found the following.
Please look at getRedirectUri of org.keycloak.adapters.
OAuthRequestAuthenticator:
It just takes the request URI and creates the redirect URI string:
protected String getRedirectUri(String state) {
String url = this.getRequestUrl();
Please note that when you work behind getRequestUrl() will always be
localhost and therefore I think SpringSecurity adapter can not work behind
HTTP proxy.
How can I change the code in the minimal way it will support the HTTP
proxy?
Best regards,
Michael
------------------------------
*From:* Michael Furman <michael_furman(a)hotmail.com>
*Sent:* Tuesday, December 13, 2016 2:25 PM
*To:* Sebastien Blanc
*Subject:* Re: [keycloak-user] Very strange behavior when access to IDP
from SpringSecurity adapter over HTTPS.
Thanks Sebastien,
I see the link but supposed it is related only to Keycloak IDP.
Is it also relevant to SpringSecurity adapter?
Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers?
Best regards,
Michael
------------------------------
*From:* Sebastien Blanc <sblanc(a)redhat.com>
*Sent:* Tuesday, December 13, 2016 2:19 PM
*To:* Michael Furman
*Subject:* Re: [keycloak-user] Very strange behavior when access to IDP
from SpringSecurity adapter over HTTPS.
TBH I have not that much experience with configuring a proxy but :
- Have you looked at
https://keycloak.gitbooks.io/server-installation-and-
configuration/content/topics/clustering/load-balancer.html (it also cover
proxy configuration)
- Search the user list, I see often question around this maybe you can
find your answer there)
On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman <
michael_furman(a)hotmail.com> wrote:
> HI Sebastien,
>
> The problem is not related to HTTPS but to the reverse proxy
>
> When I access to SpringSecurity adapter RP over HTTP but behind the
> Apache HTTPD reverse proxy (the client configuration in IDP configured also
> HTTP) the redirect_uri is replaced to localhost:
>
>
http://192.168.110.2:9080/auth/realms/master/protocol/openid
> -connect/auth?response_type=code&client_id=testclient&
> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%
> 2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-1f99d2278836
> &login=true&scope=openid
>
> Then, I get the error
>
>
>
> WE'RE SORRY ...
>
> Invalid parameter: redirect_uri
>
>
>
> What should I configure to allow to work with proxy?
>
> Any help will be appreciated.
>
> Best regards,
>
> Michael
>
>
> ------------------------------
> *From:* keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> on behalf of Michael Furman <
> michael_furman(a)hotmail.com>
> *Sent:* Tuesday, December 13, 2016 1:17 PM
> *To:* Sebastien Blanc
>
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP
> from SpringSecurity adapter over HTTPS.
>
> Hi,
> Important clarification:
> The HTTPS handshake is by Apache httpd server that is also reverse proxy
> for Tomcat.
>
>
> Tomcat is located on the same ip.
>
> SpringSecurity RP is deployed in Tomcat.
>
> Best regards
>
>
>
>
> On Dec 13, 2016 12:44 PM, Michael Furman <michael_furman(a)hotmail.com>
> wrote:
>
> Example 2:
>
> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
> configured also HTTPS)
>
> IDP is over HTTP
>
>
>
> Example 3:
>
> SpringSecurity adapter RP is over HTTP (the client configuration in IDP
> configured also HTTP)
>
> IDP is over HTTP
>
>
>
> BTW,
>
> Example 1:
>
> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
> configured also HTTPS)
>
> IDP is over HTTPS
>
>
>
> ________________________________
> From: Sebastien Blanc <sblanc(a)redhat.com>
> Sent: Tuesday, December 13, 2016 12:23 PM
> To: Michael Furman
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Very strange behavior when access to IDP
> from SpringSecurity adapter over HTTPS.
>
> What is the difference between your example 2 and example 3 ?
>
> On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman <
> michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote:
> Hi all,
> I try to access from SpringSecurity adapter over HTTPS without success.
> When I try to access to IDP over HTTPS the redirect_uri is replaced to
> localhost:
>
>
https://192.168.110.2:8443/auth/realms/master/protocol/openi
> d-connect/auth?response_type=code&client_id=testclient&
> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%
> 2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084
> &login=true&scope=openid
>
> Then I get this error in UI:
> WE'RE SORRY ...
> Invalid parameter: redirect_uri
>
> Similar, when I try to access to IDP over HTTP, the redirect_uri is
> replaced to localhost:
>
http://192.168.110.2:9080/auth/realms/master/protocol/openid
> -connect/auth?response_type=code&client_id=testclient&
> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%
> 2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99
> &login=true&scope=openid
>
> Same error in UI:
> WE'RE SORRY ...
> Invalid parameter: redirect_uri
>
> Only if I access from SpringSecurity adapter over HTTP the redirect_uri
> has correct value and it works:
>
http://192.168.110.2:9080/auth/realms/master/protocol/openid
> -connect/auth?response_type=code&client_id=testclient&
> redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%
> 2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&
> login=true&scope=openid
>
> Finally I can see the login page.
> What wrong in my configurations?
> Any help will be appreciated.
> Best regards,
> Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer
> <
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer
> <
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>