Does login through Google works if you don't use nginx proxy? Is there anything in the log?

Marek

On 28/01/16 13:23, Adrian Matei wrote:
Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the same "This webpage has a redirect loop" message when trying to sign in with Google also...

On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda@redhat.com> wrote:
I suppose you're using Keycloak 1.7? There is known issue related to this NoClassDefFoundError . You can workaround it by edit file $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml and add the line:

<module name="org.keycloak.keycloak-broker-core"/>

into dependencies section. Same for module $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml

Marek



On 28/01/16 06:47, Adrian Matei wrote:
Hi everyone,

I am experimenting "too many redirects"/infinite loops issues in the browser when I try to connect with social providers. I am also getting internal server error on Chrome via google account (Caused by: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext). It might be my configuration, but I did everything "by the book":

# realm Require SSL:none

#nginx
http {
        gzip on;
        gzip_proxied any;
        #gzip_proxied no-cache no-store private expired auth;
        gzip_types text/plain text/html text/css application/json application/x-javascript  application/xml application/xml+rss text/javascript application/javascript text/x-js;
        #gzip_min_length 1000;


        server_tokens off; #hides nginx version and OS running on
        include /etc/nginx/mime.types;


        upstream tomcat_server {
                server localhost:8080;
        }
        upstream keycloak_server {
                server localhost:8180;
        }

        server {
                listen 80;
                server_name podcastmania.ro;
                return 301 https://$host$request_uri;
        }

        server {

                listen 443 ssl;

                server_name podcastmania.ro www.podcastmania.ro;

           ssl_certificate /etc/nginx/ssl/nginx.crt;
           ssl_certificate_key /etc/nginx/ssl/nginx.key;
         location / {
                root /opt/tomcat/webapps/ROOT;
                try_files $uri /maintenance.html @tomcat;
            }

            location @tomcat {
                proxy_pass http://tomcat_server;

                proxy_set_header Host $host; #to change the "Host" header set by default to $proxy_host to $host - the originating host request
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
            }


            location /auth/ {
                root   /opt/keycloak/standalone/configuration/themes/keycloak/;
                try_files $uri @keycloak;
            }

             location @keycloak {
                proxy_pass http://keycloak_server;

                proxy_set_header Host               $host;
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
                proxy_set_header X-Forwarded-Port   443;
            }


        }


# standalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="proxy-https"  proxy-address-forwarding="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                </host>
            </server>

    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <socket-binding name="proxy-https" port="443"/>
         <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>

# app:spring security configuration
<context:component-scan base-package="org.keycloak.adapters.springsecurity" />

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="keycloakAuthenticationProvider" />
</security:authentication-manager>

<bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
  <constructor-arg value="classpath:keycloak.json" />
</bean>
<bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" />
<bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" />
<bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" />
<bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
  <constructor-arg name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
  <constructor-arg ref="adapterDeploymentContext" />
</bean>

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
  <constructor-arg name="logoutSuccessUrl" value="/" />
  <constructor-arg name="handlers">
    <list>
      <ref bean="keycloakLogoutHandler" />
      <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    </list>
  </constructor-arg>
  <property name="logoutRequestMatcher">
    <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
      <constructor-arg name="pattern" value="/sso/logout**" />
      <constructor-arg name="httpMethod" value="GET" />
    </bean>
  </property>
</bean>

<security:http auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint">
  <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
  <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
  <security:intercept-url pattern="/users/registration" access="permitAll"/>
  <security:intercept-url pattern="/users/registration/confirm-email" access="permitAll"/>
  <security:intercept-url pattern="/users/registration/confirmed" access="permitAll"/>
  <security:intercept-url pattern="/users/password-forgotten" access="permitAll"/>
  <security:intercept-url pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
  <security:intercept-url pattern="/users/password-forgotten/confirmed" access="permitAll"/>
  <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
  <security:intercept-url pattern="/**" access="permitAll"/>
  <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
</security:http>

Has anyone faced similar issues?

Thanks,
Adrian


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user