3:43 a.m.
Hi everyone,
First email to the group here. I’ve been heavily underway implementing Keycloak for my
app’s auth needs and very impressed with the product. I’ve delayed emailing the group
until I’ve spent hours of time trying to figure out this weird issue I’m experiencing.
This might not be the best place to post this, but figured I’d start here.
For some reason, when I visit my spring boot webapp that’s protected by keycloak it’s
redirecting to keycloak as expected but the redirect_uri is being set with a port of 0
which is causing me to get an error on the keycloak login page saying “invalid
redirect_uri.”
I’ve googled this and I’ve found some people having similar issues, but couldn’t find
solutions (e.g.
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;,
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...>).
My prod/test environment uses an nginx reverse proxy in front of my apps.
I followed these steps:
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...;.
The url that was throwing that error looked like this (see the port of 0 in the url):
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
The keycloak logs contained this error for the above url:
Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/> standalone.sh[20517]:
02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR,
realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111,
error=invalid_redirect_uri, redirect_uri=https://www.example.com
<https://www.example.com/>:0/sso/login
As you can see for some reason the redirect_uri is being set with a port of 0.
I put in the url with port 0 (https://www.example.com:0/sso/login
<https://www.example.com:0/sso/login>) into the keycloak client config under Valid
Redirect URIs and that removed the invalid redirect_url issue and the login page was now
rendering without an error.
However, when the redirect is performed after login, the browser gets screwed up with
having port 0 in there… Google Chrome has this error:
This site can’t be reached
The webpage at
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
might be temporarily down or it may have moved permanently to a new web address.
ERR_ADDRESS_INVALID
Here’s my architecture:
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042* —>
SPRING BOOT APP (v2.0.5.RELEASE)
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080* —>
KEYCLOAK SERVER (v4.4.0.Final)
Spring Boot App:
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>4.4.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
Config yaml:
keycloak:
auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth>
realm: my-app
public-client: true
resource: my-client
ssl-required: external
Nginx is configured as a reverse proxy with these settings for the spring boot app:
upstream app {
server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name www.example.com <http://www.example.com/>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://app <http://app/>;
}
}
Nginx is configured as a reverse proxy with these settings for the keycloak server:
upstream sso {
server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name sso.example.com <http://sso.example.com/>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://sso <http://sso/>;
}
}
My keycloak configuration for standalone.xml has these settings:
Undertow config:
<server name="default-server">
<http-listener name="default" socket-binding="http"
redirect-socket="proxy-https" enable-http2="true"
proxy-address-forwarding="true"/>
<https-listener name="https" socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
…
Socket Bindings:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Thanks for your help, I must have missed something somewhere. I just can’t for the life of
me find out where that port 0 is coming from.
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
3:52 a.m.
Hi,
We have a ticket concerning the 0 added as port :
https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan it
to work on it. But look at the comments, looks like there are some
workarounds for now (the last comment).
Sebi
On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com>
wrote:
Hi everyone,
First email to the group here. I’ve been heavily underway implementing
Keycloak for my app’s auth needs and very impressed with the product. I’ve
delayed emailing the group until I’ve spent hours of time trying to figure
out this weird issue I’m experiencing. This might not be the best place to
post this, but figured I’d start here.
For some reason, when I visit my spring boot webapp that’s protected by
keycloak it’s redirecting to keycloak as expected but the redirect_uri is
being set with a port of 0 which is causing me to get an error on the
keycloak login page saying “invalid redirect_uri.”
I’ve googled this and I’ve found some people having similar issues, but
couldn’t find solutions (e.g.
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;,
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
>).
My prod/test environment uses an nginx reverse proxy in front of my apps.
I followed these steps:
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
>.
The url that was throwing that error looked like this (see the port of 0
in the url):
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
>%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid
The keycloak logs contained this error for the above url:
Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/>
standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default
task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null,
ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=
https://www.example.com <https://www.example.com/>:0/sso/login
As you can see for some reason the redirect_uri is being set with a port
of 0.
I put in the url with port 0 (https://www.example.com:0/sso/login <
https://www.example.com:0/sso/login>) into the keycloak client config
under Valid Redirect URIs and that removed the invalid redirect_url issue
and the login page was now rendering without an error.
However, when the redirect is performed after login, the browser gets
screwed up with having port 0 in there… Google Chrome has this error:
This site can’t be reached
The webpage at
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
might be temporarily down or it may have moved permanently to a new web
address.
ERR_ADDRESS_INVALID
Here’s my architecture:
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042*
—> SPRING BOOT APP (v2.0.5.RELEASE)
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080*
—> KEYCLOAK SERVER (v4.4.0.Final)
Spring Boot App:
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>4.4.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
Config yaml:
keycloak:
auth-server-url: https://sso.example.com/auth <
https://sso.example.com/auth>
realm: my-app
public-client: true
resource: my-client
ssl-required: external
Nginx is configured as a reverse proxy with these settings for the spring
boot app:
upstream app {
server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name www.example.com <http://www.example.com/>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://app <http://app/>;
}
}
Nginx is configured as a reverse proxy with these settings for the
keycloak server:
upstream sso {
server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name sso.example.com <http://sso.example.com/>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://sso <http://sso/>;
}
}
My keycloak configuration for standalone.xml has these settings:
Undertow config:
<server name="default-server">
<http-listener name="default" socket-binding="http"
redirect-socket="proxy-https" enable-http2="true"
proxy-address-forwarding="true"/>
<https-listener name="https" socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
…
Socket Bindings:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https"
interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Thanks for your help, I must have missed something somewhere. I just can’t
for the life of me find out where that port 0 is coming from.
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:30 a.m.
Hi,
I’ve tried a couple things in that comment so far:
1) Verified I’m sending through the headers and the spring boot app is receiving the
headers:
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05 05:15:27.576 INFO
25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController :
host=www.example.com
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-real-ip=1.2.3.4
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-for=1.2.3.4
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-proto=https
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
x-forwarded-host=www.example.com
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: x-forwarded-port=443
I tried setting the spring boot keycloak config setting:
keycloak.ssl-required = none
That did remove the port 0 in the redirect_uri being generated but it also set the
redirect uri to be http instead of https, which seems like it’d be bad. I do have nginx
set to redirect all http requests to https anyway.
Is there something else I need to do to get the spring boot app to generate the correct
redirect_uri with https? There must be like some magic config setting I’ve missed
somewhere. I’ll keep digging and share what I find.
Thanks,
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
Hi,
We have a ticket concerning the 0 added as port :
https://issues.jboss.org/browse/KEYCLOAK-7237
<https://issues.jboss.org/browse/KEYCLOAK-7237> but we still need to plan it to work
on it. But look at the comments, looks like there are some workarounds for now (the last
comment).
Sebi
On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com
<mailto:dean@edgewoodsoftware.com>> wrote:
Hi everyone,
First email to the group here. I’ve been heavily underway implementing Keycloak for my
app’s auth needs and very impressed with the product. I’ve delayed emailing the group
until I’ve spent hours of time trying to figure out this weird issue I’m experiencing.
This might not be the best place to post this, but figured I’d start here.
For some reason, when I visit my spring boot webapp that’s protected by keycloak it’s
redirecting to keycloak as expected but the redirect_uri is being set with a port of 0
which is causing me to get an error on the keycloak login page saying “invalid
redirect_uri.”
I’ve googled this and I’ve found some people having similar issues, but couldn’t find
solutions (e.g.
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;,
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...).
My prod/test environment uses an nginx reverse proxy in front of my apps.
I followed these steps:
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...;.
The url that was throwing that error looked like this (see the port of 0 in the url):
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
The keycloak logs contained this error for the above url:
Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/>
<http://sso01.example.com/ <http://sso01.example.com/>> standalone.sh[20517]:
02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR,
realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111,
error=invalid_redirect_uri, redirect_uri=https://www.example.com
<https://www.example.com/> <https://www.example.com/
<https://www.example.com/>>:0/sso/login
As you can see for some reason the redirect_uri is being set with a port of 0.
I put in the url with port 0 (https://www.example.com:0/sso/login
<https://www.example.com:0/sso/login> <https://www.example.com:0/sso/login
<https://www.example.com:0/sso/login>>) into the keycloak client config under
Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was
now rendering without an error.
However, when the redirect is performed after login, the browser gets screwed up with
having port 0 in there… Google Chrome has this error:
This site can’t be reached
The webpage at
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
might be temporarily down or it may have moved permanently to a new web address.
ERR_ADDRESS_INVALID
Here’s my architecture:
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042* —>
SPRING BOOT APP (v2.0.5.RELEASE)
USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080* —>
KEYCLOAK SERVER (v4.4.0.Final)
Spring Boot App:
<dependency>
<groupId>org.keycloak.bom</groupId>
<artifactId>keycloak-adapter-bom</artifactId>
<version>4.4.0.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
</dependency>
Config yaml:
keycloak:
auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth>
<https://sso.example.com/auth <https://sso.example.com/auth>>
realm: my-app
public-client: true
resource: my-client
ssl-required: external
Nginx is configured as a reverse proxy with these settings for the spring boot app:
upstream app {
server 1.2.3.4:8042 <http://1.2.3.4:8042/> max_fails=1 fail_timeout=60s;
server 1.2.3.4:8042 <http://1.2.3.4:8042/> max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name www.example.com <http://www.example.com/>
<http://www.example.com/ <http://www.example.com/>>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://app <http://app/> <http://app/
<http://app/>>;
}
}
Nginx is configured as a reverse proxy with these settings for the keycloak server:
upstream sso {
server 1.2.3.4:8080 <http://1.2.3.4:8080/> max_fails=1 fail_timeout=60s;
server 1.2.3.4:8080 <http://1.2.3.4:8080/> max_fails=1 fail_timeout=60s;
}
server {
listen 443;
server_name sso.example.com <http://sso.example.com/>
<http://sso.example.com/ <http://sso.example.com/>>;
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_next_upstream error timeout invalid_header http_500;
proxy_connect_timeout 2;
proxy_pass http://sso <http://sso/> <http://sso/
<http://sso/>>;
}
}
My keycloak configuration for standalone.xml has these settings:
Undertow config:
<server name="default-server">
<http-listener name="default" socket-binding="http"
redirect-socket="proxy-https" enable-http2="true"
proxy-address-forwarding="true"/>
<https-listener name="https" socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
…
Socket Bindings:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Thanks for your help, I must have missed something somewhere. I just can’t for the life
of me find out where that port 0 is coming from.
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
<mailto:dean@edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
4:37 a.m.
TBH No idea if it helps in your case but there is a config property called
"redirect-rewrite-rules" that may help you :
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...
On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean(a)edgewoodsoftware.com>
wrote:
Hi,
I’ve tried a couple things in that comment so far:
1) Verified I’m sending through the headers and the spring boot app is
receiving the headers:
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]: 2018-10-05
05:15:27.576 INFO 25117 --- [nio-8042-exec-2]
a.c.u.server.controller.IndexController : host=www.example.com
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
x-real-ip=1.2.3.4
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
x-forwarded-for=1.2.3.4
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
x-forwarded-proto=https
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
x-forwarded-host=www.example.com
Oct 05 05:15:27 server01.edgewoodsoftware.com java[25117]:
x-forwarded-port=443
I tried setting the spring boot keycloak config setting:
keycloak.ssl-required = none
That did remove the port 0 in the redirect_uri being generated but it also
set the redirect uri to be http instead of https, which seems like it’d be
bad. I do have nginx set to redirect all http requests to https anyway.
Is there something else I need to do to get the spring boot app to
generate the correct redirect_uri with https? There must be like some magic
config setting I’ve missed somewhere. I’ll keep digging and share what I
find.
Thanks,
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com
On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
Hi,
We have a ticket concerning the 0 added as port :
https://issues.jboss.org/browse/KEYCLOAK-7237 but we still need to plan
it to work on it. But look at the comments, looks like there are some
workarounds for now (the last comment).
Sebi
On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com>
wrote:
> Hi everyone,
>
> First email to the group here. I’ve been heavily underway implementing
> Keycloak for my app’s auth needs and very impressed with the product. I’ve
> delayed emailing the group until I’ve spent hours of time trying to figure
> out this weird issue I’m experiencing. This might not be the best place to
> post this, but figured I’d start here.
>
> For some reason, when I visit my spring boot webapp that’s protected by
> keycloak it’s redirecting to keycloak as expected but the redirect_uri is
> being set with a port of 0 which is causing me to get an error on the
> keycloak login page saying “invalid redirect_uri.”
>
> I’ve googled this and I’ve found some people having similar issues, but
> couldn’t find solutions (e.g.
>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
> <
>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;,
>
>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
> <
>
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
> >).
>
> My prod/test environment uses an nginx reverse proxy in front of my apps.
>
> I followed these steps:
>
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
> <
>
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
> >.
>
> The url that was throwing that error looked like this (see the port of 0
> in the url):
>
>
>
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
> <
>
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
>
>%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid
>
> The keycloak logs contained this error for the above url:
>
> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/>
> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default
> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null,
> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=
> https://www.example.com <https://www.example.com/>:0/sso/login
>
> As you can see for some reason the redirect_uri is being set with a port
> of 0.
>
> I put in the url with port 0 (https://www.example.com:0/sso/login <
> https://www.example.com:0/sso/login>) into the keycloak client config
> under Valid Redirect URIs and that removed the invalid redirect_url issue
> and the login page was now rendering without an error.
>
> However, when the redirect is performed after login, the browser gets
> screwed up with having port 0 in there… Google Chrome has this error:
>
> This site can’t be reached
> The webpage at
>
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
> <
>
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
> might be temporarily down or it may have moved permanently to a new web
> address.
> ERR_ADDRESS_INVALID
>
> Here’s my architecture:
>
> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042*
> —> SPRING BOOT APP (v2.0.5.RELEASE)
>
> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080*
> —> KEYCLOAK SERVER (v4.4.0.Final)
>
> Spring Boot App:
>
> <dependency>
> <groupId>org.keycloak.bom</groupId>
> <artifactId>keycloak-adapter-bom</artifactId>
> <version>4.4.0.Final</version>
> <type>pom</type>
> <scope>import</scope>
> </dependency>
>
> ...
>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-spring-boot-starter</artifactId>
> </dependency>
>
> Config yaml:
>
> keycloak:
> auth-server-url: https://sso.example.com/auth <
> https://sso.example.com/auth>
> realm: my-app
> public-client: true
> resource: my-client
> ssl-required: external
>
>
>
> Nginx is configured as a reverse proxy with these settings for the spring
> boot app:
>
> upstream app {
> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s;
> }
>
> server {
> listen 443;
> server_name www.example.com <http://www.example.com/>;
>
> ...
>
> location / {
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Port 443;
>
> proxy_next_upstream error timeout invalid_header http_500;
> proxy_connect_timeout 2;
>
> proxy_pass http://app <http://app/>;
> }
> }
>
> Nginx is configured as a reverse proxy with these settings for the
> keycloak server:
>
>
> upstream sso {
> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s;
> }
>
> server {
> listen 443;
> server_name sso.example.com <http://sso.example.com/>;
>
> ...
>
> location / {
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Port 443;
> proxy_next_upstream error timeout invalid_header http_500;
> proxy_connect_timeout 2;
>
> proxy_pass http://sso <http://sso/>;
> }
> }
>
> My keycloak configuration for standalone.xml has these settings:
>
> Undertow config:
>
> <server name="default-server">
> <http-listener name="default" socket-binding="http"
> redirect-socket="proxy-https" enable-http2="true"
> proxy-address-forwarding="true"/>
> <https-listener name="https" socket-binding="https"
> security-realm="ApplicationRealm" enable-http2="true"/>
> <host name="default-host" alias="localhost">
> <http-invoker security-realm="ApplicationRealm"/>
> </host>
> </server>
>
> …
>
> Socket Bindings:
>
> <socket-binding-group name="standard-sockets"
default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:0}">
> <socket-binding name="management-http"
interface="management"
> port="${jboss.management.http.port:9990}"/>
> <socket-binding name="management-https"
interface="management"
> port="${jboss.management.https.port:9993}"/>
> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
> <socket-binding name="http"
port="${jboss.http.port:8080}"/>
> <socket-binding name="proxy-https" port="443"/>
> <socket-binding name="https"
port="${jboss.https.port:8443}"/>
> <socket-binding name="txn-recovery-environment"
port="4712"/>
> <socket-binding name="txn-status-manager"
port="4713"/>
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost" port="25"/>
> </outbound-socket-binding>
> </socket-binding-group>
>
>
>
>
>
> Thanks for your help, I must have missed something somewhere. I just
> can’t for the life of me find out where that port 0 is coming from.
>
>
> Dean Poulin
> Owner & Principal Software Engineer
> edgewood software
> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
5:26 a.m.
After a bit more trial and error the final setting that worked for me was to set:
keycloak:
ssl-required: external
confidential-port: 443
Setting confidential-port to 443 is now generating the correct redirect_uri and having
ssl-required set to external is using forcing https correctly. The redirect_uri no longer
has port 0.
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
Thanks again for your help pointing me in the right direction.
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
On Oct 5, 2018, at 5:37 AM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
TBH No idea if it helps in your case but there is a config property called
"redirect-rewrite-rules" that may help you :
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...
<https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...
On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean(a)edgewoodsoftware.com
<mailto:dean@edgewoodsoftware.com>> wrote:
Hi,
I’ve tried a couple things in that comment so far:
1) Verified I’m sending through the headers and the spring boot app is receiving the
headers:
Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: 2018-10-05 05:15:27.576 INFO
25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController :
host=www.example.com <http://www.example.com/>
Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-real-ip=1.2.3.4
Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-forwarded-for=1.2.3.4
Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-forwarded-proto=https
Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]:
x-forwarded-host=www.example.com <http://www.example.com/>
Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-forwarded-port=443
I tried setting the spring boot keycloak config setting:
keycloak.ssl-required = none
That did remove the port 0 in the redirect_uri being generated but it also set the
redirect uri to be http instead of https, which seems like it’d be bad. I do have nginx
set to redirect all http requests to https anyway.
Is there something else I need to do to get the spring boot app to generate the correct
redirect_uri with https? There must be like some magic config setting I’ve missed
somewhere. I’ll keep digging and share what I find.
Thanks,
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc(a)redhat.com
<mailto:sblanc@redhat.com>> wrote:
>
> Hi,
>
> We have a ticket concerning the 0 added as port :
https://issues.jboss.org/browse/KEYCLOAK-7237
<https://issues.jboss.org/browse/KEYCLOAK-7237> but we still need to plan it to work
on it. But look at the comments, looks like there are some workarounds for now (the last
comment).
>
> Sebi
>
>
> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com
<mailto:dean@edgewoodsoftware.com>> wrote:
> Hi everyone,
>
> First email to the group here. I’ve been heavily underway implementing Keycloak for
my app’s auth needs and very impressed with the product. I’ve delayed emailing the group
until I’ve spent hours of time trying to figure out this weird issue I’m experiencing.
This might not be the best place to post this, but figured I’d start here.
>
> For some reason, when I visit my spring boot webapp that’s protected by keycloak it’s
redirecting to keycloak as expected but the redirect_uri is being set with a port of 0
which is causing me to get an error on the keycloak login page saying “invalid
redirect_uri.”
>
> I’ve googled this and I’ve found some people having similar issues, but couldn’t find
solutions (e.g.
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;,
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...).
>
> My prod/test environment uses an nginx reverse proxy in front of my apps.
>
> I followed these steps:
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...;.
>
> The url that was throwing that error looked like this (see the port of 0 in the
url):
>
>
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
>
> The keycloak logs contained this error for the above url:
>
> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/>
<http://sso01.example.com/ <http://sso01.example.com/>> standalone.sh[20517]:
02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR,
realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111,
error=invalid_redirect_uri, redirect_uri=https://www.example.com
<https://www.example.com/> <https://www.example.com/
<https://www.example.com/>>:0/sso/login
>
> As you can see for some reason the redirect_uri is being set with a port of 0.
>
> I put in the url with port 0 (https://www.example.com:0/sso/login
<https://www.example.com:0/sso/login> <https://www.example.com:0/sso/login
<https://www.example.com:0/sso/login>>) into the keycloak client config under
Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was
now rendering without an error.
>
> However, when the redirect is performed after login, the browser gets screwed up with
having port 0 in there… Google Chrome has this error:
>
> This site can’t be reached
> The webpage at
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
might be temporarily down or it may have moved permanently to a new web address.
> ERR_ADDRESS_INVALID
>
> Here’s my architecture:
>
> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042*
—> SPRING BOOT APP (v2.0.5.RELEASE)
>
> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080*
—> KEYCLOAK SERVER (v4.4.0.Final)
>
> Spring Boot App:
>
> <dependency>
> <groupId>org.keycloak.bom</groupId>
> <artifactId>keycloak-adapter-bom</artifactId>
> <version>4.4.0.Final</version>
> <type>pom</type>
> <scope>import</scope>
> </dependency>
>
> ...
>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-spring-boot-starter</artifactId>
> </dependency>
>
> Config yaml:
>
> keycloak:
> auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth>
<https://sso.example.com/auth <https://sso.example.com/auth>>
> realm: my-app
> public-client: true
> resource: my-client
> ssl-required: external
>
>
>
> Nginx is configured as a reverse proxy with these settings for the spring boot app:
>
> upstream app {
> server 1.2.3.4:8042 <http://1.2.3.4:8042/> max_fails=1 fail_timeout=60s;
> server 1.2.3.4:8042 <http://1.2.3.4:8042/> max_fails=1 fail_timeout=60s;
> }
>
> server {
> listen 443;
> server_name www.example.com <http://www.example.com/>
<http://www.example.com/ <http://www.example.com/>>;
>
> ...
>
> location / {
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Port 443;
>
> proxy_next_upstream error timeout invalid_header http_500;
> proxy_connect_timeout 2;
>
> proxy_pass http://app <http://app/> <http://app/
<http://app/>>;
> }
> }
>
> Nginx is configured as a reverse proxy with these settings for the keycloak server:
>
>
> upstream sso {
> server 1.2.3.4:8080 <http://1.2.3.4:8080/> max_fails=1 fail_timeout=60s;
> server 1.2.3.4:8080 <http://1.2.3.4:8080/> max_fails=1 fail_timeout=60s;
> }
>
> server {
> listen 443;
> server_name sso.example.com <http://sso.example.com/>
<http://sso.example.com/ <http://sso.example.com/>>;
>
> ...
>
> location / {
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Port 443;
> proxy_next_upstream error timeout invalid_header http_500;
> proxy_connect_timeout 2;
>
> proxy_pass http://sso <http://sso/> <http://sso/
<http://sso/>>;
> }
> }
>
> My keycloak configuration for standalone.xml has these settings:
>
> Undertow config:
>
> <server name="default-server">
> <http-listener name="default" socket-binding="http"
redirect-socket="proxy-https" enable-http2="true"
proxy-address-forwarding="true"/>
> <https-listener name="https" socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
> <host name="default-host" alias="localhost">
> <http-invoker security-realm="ApplicationRealm"/>
> </host>
> </server>
>
> …
>
> Socket Bindings:
>
> <socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
> <socket-binding name="management-http"
interface="management" port="${jboss.management.http.port:9990}"/>
> <socket-binding name="management-https"
interface="management"
port="${jboss.management.https.port:9993}"/>
> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
> <socket-binding name="http"
port="${jboss.http.port:8080}"/>
> <socket-binding name="proxy-https" port="443"/>
> <socket-binding name="https"
port="${jboss.https.port:8443}"/>
> <socket-binding name="txn-recovery-environment"
port="4712"/>
> <socket-binding name="txn-status-manager"
port="4713"/>
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost" port="25"/>
> </outbound-socket-binding>
> </socket-binding-group>
>
>
>
>
>
> Thanks for your help, I must have missed something somewhere. I just can’t for the
life of me find out where that port 0 is coming from.
>
>
> Dean Poulin
> Owner & Principal Software Engineer
> edgewood software
> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
<mailto:dean@edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
7:51 p.m.
TL;DR
I finally tracked this down. Ultimately, my issue was caused by my reverse proxy server IP
not being trusted by the default proxy IP addresses used by tomcat in the
org.apache.catalina.valves.RemoteIpValve. Specifically needed to set
server.tomcat.internal-proxies.
Once I set this setting in my configuration, and added the appropriate trusted upstream
proxy address, the application now trusts the http requests and the spring boot app views
the protocol as https and the OAuthRequestAuthenticator works properly.
I was also able to remove other settings that were just side effects of the ultimate
misconfiguration. This now works properly for me:
server:
use-forward-headers: true
tomcat:
internal-proxies:
192\\.168\\.\\d{1,3}\\.\\d{1,3}|10\\.0\\.\\d{1,3}\\.\\d{1,3}|1.2.3.4
keycloak:
auth-server-url: https://sso.example.com/auth
resource: my-client
ssl-required: external
realm: my-app
public-client: true
principal-attribute: preferred_username
----------------------------
That previous change got me up to being able see the login page without an error. After
login now the keycloak server redirects me to my spring boot app and it throws an
exception in the keycloak adapter OAuthRequestAuthenticator thinking it’s not on SSL:
"Adapter requires SSL."
I must be missing something simple to get the spring boot app to think it’s running on
SSL.
I have tried all the settings with nginx and spring boot for x-forwarded-for and
x-forwarded-proto but for some reason the HttpFacade still thinks that the requests are
http and not https.
I’m using embedded tomcat with spring boot config:
server:
use-forward-headers: true
tomcat:
remote_ip_header: x-forwarded-for
protocol_header: x-forwarded-proto
keycloak:
auth-server-url: https://www.example.com:443/auth
confidential-port: 443
ssl-required: none
realm: my-app
public-client: true
resource: my-client
principal-attribute: preferred_username
I verified my upstream proxy is sending the x-forwarded-* headers and that the spring boot
app is getting the headers.
If I set keycloak.ssl-required: none along with confidential-port: 443 in Spring Boot
Config that causes the redirect_uri to be set as http and I have to add
http://www.example.com/* <http://www.example.com/*> as a Valid Redirect URI in
keycloak for the client. Which I’m assuming is a HUGE security hole correct? I am able to
login and the app works and tokens are exchanged, but I feel like sending redirects over
HTTP in the browser and using my reverse proxy to redirect those HTTP requests back over
to HTTPS is leaking what should be secure url parameters over HTTP.
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.813 ERROR
32174 --- [nio-8042-exec-7] o.k.adapters.OAuthRequestAuthenticator : Adapter requires
SSL. Request:
http://www.example.com/sso/login?state=a80b5a61-1925-44dd-8f6c-aa18bf0c75...
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.814 DEBUG
32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Auth outcome:
FAILED
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.820 DEBUG
32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Authentication
request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException:
Invalid authorization header, see WWW-Authenticate header for details
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]:
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid
authorization header, see WWW-Authenticate header for details
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:157)
~[keycloak-spring-security-adapter-4.4.0.Final.jar!/:4.4.0.Final]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
~[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:84)
[keycloak-spring-security-adapter-4.4.0.Final.jar!/:4.4.0.Final]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
[spring-security-web-5.0.8.RELEASE.jar!/:5.0.8.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:155)
[spring-boot-actuator-2.0.5.RELEASE.jar!/:2.0.5.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:123)
[spring-boot-actuator-2.0.5.RELEASE.jar!/:2.0.5.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
[spring-boot-actuator-2.0.5.RELEASE.jar!/:2.0.5.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
[spring-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
[spring-boot-container-bundle-4.4.0.Final.jar!/:4.4.0.Final]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
[spring-boot-container-bundle-4.4.0.Final.jar!/:4.4.0.Final]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:685)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_151]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_151]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-embed-core-8.5.34.jar!/:8.5.34]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: at
java.lang.Thread.run(Thread.java:748) [na:1.8.0_151]
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.822 DEBUG
32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Updated
SecurityContextHolder to contain null Authentication
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.822 DEBUG
32174 --- [nio-8042-exec-7] f.KeycloakAuthenticationProcessingFilter : Delegating to
authentication failure handler
org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationFailureHandler@3fceae8c
Oct 05 18:28:02 server01.edgewoodsoftware.com java[32174]: 2018-10-05 18:28:02.827 DEBUG
32174 --- [nio-8042-exec-7] o.k.adapters.PreAuthActionsHandler : adminRequest
http://www.example.com/error?state=a80b5a61-1925-44dd-8f6c-aa18bf0c7572&a...
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
On Oct 5, 2018, at 6:26 AM, Dean Poulin
<dean(a)edgewoodsoftware.com> wrote:
After a bit more trial and error the final setting that worked for me was to set:
keycloak:
ssl-required: external
confidential-port: 443
Setting confidential-port to 443 is now generating the correct redirect_uri and having
ssl-required set to external is using forcing https correctly. The redirect_uri no longer
has port 0.
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
Thanks again for your help pointing me in the right direction.
Dean Poulin
Owner & Principal Software Engineer
edgewood software
email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
> On Oct 5, 2018, at 5:37 AM, Sebastien Blanc <sblanc(a)redhat.com
<mailto:sblanc@redhat.com>> wrote:
>
> TBH No idea if it helps in your case but there is a config property called
"redirect-rewrite-rules" that may help you :
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...
<https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...
>
>
> On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean(a)edgewoodsoftware.com
<mailto:dean@edgewoodsoftware.com>> wrote:
> Hi,
>
> I’ve tried a couple things in that comment so far:
>
> 1) Verified I’m sending through the headers and the spring boot app is receiving the
headers:
>
> Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: 2018-10-05 05:15:27.576 INFO
25117 --- [nio-8042-exec-2] a.c.u.server.controller.IndexController :
host=www.example.com <http://www.example.com/>
> Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-real-ip=1.2.3.4
> Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-forwarded-for=1.2.3.4
> Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-forwarded-proto=https
> Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]:
x-forwarded-host=www.example.com <http://www.example.com/>
> Oct 05 05:15:27 server01.edgewoodsoftware.com
<http://server01.edgewoodsoftware.com/> java[25117]: x-forwarded-port=443
>
> I tried setting the spring boot keycloak config setting:
>
> keycloak.ssl-required = none
>
> That did remove the port 0 in the redirect_uri being generated but it also set the
redirect uri to be http instead of https, which seems like it’d be bad. I do have nginx
set to redirect all http requests to https anyway.
>
> Is there something else I need to do to get the spring boot app to generate the
correct redirect_uri with https? There must be like some magic config setting I’ve missed
somewhere. I’ll keep digging and share what I find.
>
> Thanks,
>
> Dean Poulin
> Owner & Principal Software Engineer
> edgewood software
> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
>
>
>> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc(a)redhat.com
<mailto:sblanc@redhat.com>> wrote:
>>
>> Hi,
>>
>> We have a ticket concerning the 0 added as port :
https://issues.jboss.org/browse/KEYCLOAK-7237
<https://issues.jboss.org/browse/KEYCLOAK-7237> but we still need to plan it to work
on it. But look at the comments, looks like there are some workarounds for now (the last
comment).
>>
>> Sebi
>>
>>
>> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com
<mailto:dean@edgewoodsoftware.com>> wrote:
>> Hi everyone,
>>
>> First email to the group here. I’ve been heavily underway implementing Keycloak
for my app’s auth needs and very impressed with the product. I’ve delayed emailing the
group until I’ve spent hours of time trying to figure out this weird issue I’m
experiencing. This might not be the best place to post this, but figured I’d start here.
>>
>> For some reason, when I visit my spring boot webapp that’s protected by keycloak
it’s redirecting to keycloak as expected but the redirect_uri is being set with a port of
0 which is causing me to get an error on the keycloak login page saying “invalid
redirect_uri.”
>>
>> I’ve googled this and I’ve found some people having similar issues, but couldn’t
find solutions (e.g.
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...;,
https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...
<https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...).
>>
>> My prod/test environment uses an nginx reverse proxy in front of my apps.
>>
>> I followed these steps:
https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...
<https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...;.
>>
>> The url that was throwing that error looked like this (see the port of 0 in the
url):
>>
>>
https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
<https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...
>>
>> The keycloak logs contained this error for the above url:
>>
>> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/>
<http://sso01.example.com/ <http://sso01.example.com/>> standalone.sh[20517]:
02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR,
realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111,
error=invalid_redirect_uri, redirect_uri=https://www.example.com
<https://www.example.com/> <https://www.example.com/
<https://www.example.com/>>:0/sso/login
>>
>> As you can see for some reason the redirect_uri is being set with a port of 0.
>>
>> I put in the url with port 0 (https://www.example.com:0/sso/login
<https://www.example.com:0/sso/login> <https://www.example.com:0/sso/login
<https://www.example.com:0/sso/login>>) into the keycloak client config under
Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was
now rendering without an error.
>>
>> However, when the redirect is performed after login, the browser gets screwed up
with having port 0 in there… Google Chrome has this error:
>>
>> This site can’t be reached
>> The webpage at
https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
<https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...
might be temporarily down or it may have moved permanently to a new web address.
>> ERR_ADDRESS_INVALID
>>
>> Here’s my architecture:
>>
>> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042*
—> SPRING BOOT APP (v2.0.5.RELEASE)
>>
>> USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080*
—> KEYCLOAK SERVER (v4.4.0.Final)
>>
>> Spring Boot App:
>>
>> <dependency>
>> <groupId>org.keycloak.bom</groupId>
>> <artifactId>keycloak-adapter-bom</artifactId>
>> <version>4.4.0.Final</version>
>> <type>pom</type>
>> <scope>import</scope>
>> </dependency>
>>
>> ...
>>
>> <dependency>
>> <groupId>org.keycloak</groupId>
>> <artifactId>keycloak-spring-boot-starter</artifactId>
>> </dependency>
>>
>> Config yaml:
>>
>> keycloak:
>> auth-server-url: https://sso.example.com/auth
<https://sso.example.com/auth> <https://sso.example.com/auth
<https://sso.example.com/auth>>
>> realm: my-app
>> public-client: true
>> resource: my-client
>> ssl-required: external
>>
>>
>>
>> Nginx is configured as a reverse proxy with these settings for the spring boot
app:
>>
>> upstream app {
>> server 1.2.3.4:8042 <http://1.2.3.4:8042/> max_fails=1
fail_timeout=60s;
>> server 1.2.3.4:8042 <http://1.2.3.4:8042/> max_fails=1
fail_timeout=60s;
>> }
>>
>> server {
>> listen 443;
>> server_name www.example.com <http://www.example.com/>
<http://www.example.com/ <http://www.example.com/>>;
>>
>> ...
>>
>> location / {
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> proxy_set_header X-Forwarded-Host $host;
>> proxy_set_header X-Forwarded-Port 443;
>>
>> proxy_next_upstream error timeout invalid_header http_500;
>> proxy_connect_timeout 2;
>>
>> proxy_pass http://app <http://app/> <http://app/
<http://app/>>;
>> }
>> }
>>
>> Nginx is configured as a reverse proxy with these settings for the keycloak
server:
>>
>>
>> upstream sso {
>> server 1.2.3.4:8080 <http://1.2.3.4:8080/> max_fails=1
fail_timeout=60s;
>> server 1.2.3.4:8080 <http://1.2.3.4:8080/> max_fails=1
fail_timeout=60s;
>> }
>>
>> server {
>> listen 443;
>> server_name sso.example.com <http://sso.example.com/>
<http://sso.example.com/ <http://sso.example.com/>>;
>>
>> ...
>>
>> location / {
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> proxy_set_header X-Forwarded-Host $host;
>> proxy_set_header X-Forwarded-Port 443;
>> proxy_next_upstream error timeout invalid_header http_500;
>> proxy_connect_timeout 2;
>>
>> proxy_pass http://sso <http://sso/> <http://sso/
<http://sso/>>;
>> }
>> }
>>
>> My keycloak configuration for standalone.xml has these settings:
>>
>> Undertow config:
>>
>> <server name="default-server">
>> <http-listener name="default" socket-binding="http"
redirect-socket="proxy-https" enable-http2="true"
proxy-address-forwarding="true"/>
>> <https-listener name="https" socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
>> <host name="default-host" alias="localhost">
>> <http-invoker security-realm="ApplicationRealm"/>
>> </host>
>> </server>
>>
>> …
>>
>> Socket Bindings:
>>
>> <socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
>> <socket-binding name="management-http"
interface="management" port="${jboss.management.http.port:9990}"/>
>> <socket-binding name="management-https"
interface="management"
port="${jboss.management.https.port:9993}"/>
>> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
>> <socket-binding name="http"
port="${jboss.http.port:8080}"/>
>> <socket-binding name="proxy-https" port="443"/>
>> <socket-binding name="https"
port="${jboss.https.port:8443}"/>
>> <socket-binding name="txn-recovery-environment"
port="4712"/>
>> <socket-binding name="txn-status-manager"
port="4713"/>
>> <outbound-socket-binding name="mail-smtp">
>> <remote-destination host="localhost"
port="25"/>
>> </outbound-socket-binding>
>> </socket-binding-group>
>>
>>
>>
>>
>>
>> Thanks for your help, I must have missed something somewhere. I just can’t for
the life of me find out where that port 0 is coming from.
>>
>>
>> Dean Poulin
>> Owner & Principal Software Engineer
>> edgewood software
>> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>
<mailto:dean@edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
2745
days inactive
2746
days old
5 comments
2 participants
participants (2)
-
Dean Poulin -
Sebastien Blanc