Hey, thanks for the quick reply.
The setup is in fact very simple, and just for some quick testing: gatekeeper is running
alongside apache/php in the vm; in fact I was trying to replace apache's
mod_auth_openidc that I used in a different vm with gatekeeper to have a look at how it
works. That is why I configured gatekeeper to listen on eth0 IP address, whereas apache is
listening on loopback (upstream-url in gatekeeper config file).
In Keycloak, the configuration is basic as well, just the client name and redirect URI.
Regards,
Ronald
-----Original Message-----
From: Bruno Oliveira <bruno(a)abstractj.org>
Sent: 08.Mar.2019 11:34 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Yeah, but we need to think about all the possibilities. Another thing I noticed into your
configuration is the fact that your listen address, diverges from your redirect url.
I'd suggest to isolate the problem by first trying your setup locally to see if it
works, and later move to VMs.
Like Sebi, at first glance I'd suspect about the time sync of these VMs.
But you already mentioned that's not the case.
Could you please describe better your scenario? What is running in each VM for example?
How you configured your confidential client?
On 2019-03-08, Ronald Demneri wrote:
Hello Bruno,
From my first email:
> I have configured the gatekeeper as a confidential client in
> Keycloak, and have added the redirect_uri
>
http://gatekeeper:80/oauth/callback
Which of course I got from the documentation here
https://www.keycloak.org/docs/latest/securing_apps/index.html#example-
usage-and-configuration
Thanks in advance,
Ronald
-----Original Message-----
From: Bruno Oliveira <bruno(a)abstractj.org>
Sent: 08.Mar.2019 12:52 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi Ronald, one of the possible reasons for getting this message is the way how you
configured the redirect URL on Keycloak server.
Maybe that's the case?
On 2019-02-15, Ronald Demneri wrote:
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting
of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url:
https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url:
http://gatekeeper:80
> //redirection-url:
http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url:
http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
> roles:
> - admin
>
> In the logs I receive the following upon a successful login:
>
>
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeep
> er /middleware.go:108","msg":"no session found in request,
> redirecting for authorization","error":"authentication session
not
> found"}
>
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeepe
> r/
> middleware.go:90","msg":"client
>
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10
> .2
53.6.24:60575","method":"GET","path":"/user/test.php"}
>
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeep
> er /handlers.go:88","msg":"incoming authorization request from
> client
>
address","access_type":"","auth_url":"https://keycloak/auth/realms/m
> as
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=h
> tt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scop
> e=
> openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","cl
> openid+email+ie
> nt_ip":"10.253.6.24:60575"}
>
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
>
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
>
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeep
> er /handlers.go:152","msg":"unable to verify the id
> token","error":"the access token has expired"}
>
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.
> 25
3.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in
> Keycloak, and have added the redirect_uri
>
http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj