11:47 p.m.
Hi everyone,
I am experimenting "too many redirects"/infinite loops issues in the
browser when I try to connect with social providers. I am also getting
internal server error on Chrome via google account (Caused by:
java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
configuration, but I did everything "by the book":
# realm Require SSL:none
#nginx
http {
gzip on;
gzip_proxied any;
#gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/html text/css application/json
application/x-javascript application/xml application/xml+rss
text/javascript application/javascript text/x-js;
#gzip_min_length 1000;
server_tokens off; #hides nginx version and OS running on
include /etc/nginx/mime.types;
upstream tomcat_server {
server localhost:8080;
}
upstream keycloak_server {
server localhost:8180;
}
server {
listen 80;
server_name podcastmania.ro;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name podcastmania.ro www.podcastmania.ro;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
root /opt/tomcat/webapps/ROOT;
try_files $uri /maintenance.html @tomcat;
}
location @tomcat {
proxy_pass http://tomcat_server;
proxy_set_header Host $host; #to change the "Host" header
set by default to $proxy_host to $host - the originating host request
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
root
/opt/keycloak/standalone/configuration/themes/keycloak/;
try_files $uri @keycloak;
}
location @keycloak {
proxy_pass http://keycloak_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
# standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default"
socket-binding="http"
*redirect-socket="proxy-https"
proxy-address-forwarding="true"*/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:100}">
<socket-binding name="management-http"
interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https"
interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
* <socket-binding name="proxy-https" port="443"/>*
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
# app:spring security configuration
<context:component-scan base-package="org.keycloak.adapters.springsecurity"
/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="keycloakAuthenticationProvider"
/>
</security:authentication-manager>
<bean id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
<constructor-arg value="classpath:keycloak.json" />
</bean>
<bean id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/>
<bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/>
<bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/>
<bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
<constructor-arg name="authenticationManager"
ref="authenticationManager" />
</bean>
<bean id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
<constructor-arg ref="adapterDeploymentContext" />
</bean>
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg name="logoutSuccessUrl" value="/" />
<constructor-arg name="handlers">
<list>
<ref bean="keycloakLogoutHandler" />
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
</list>
</constructor-arg>
<property name="logoutRequestMatcher">
<bean
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/sso/logout**" />
<constructor-arg name="httpMethod" value="GET" />
</bean>
</property>
</bean>
<security:http auto-config="false" use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/users/registration"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
<security:intercept-url
pattern="/users/password-forgotten/confirm-email"
access="permitAll"/>
<security:intercept-url
pattern="/users/password-forgotten/confirmed" access="permitAll"/>
<security:intercept-url pattern="/users/**/*"
access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" />
</security:http>
Has anyone faced similar issues?
Thanks,
Adrian
5:28 a.m.
I suppose you're using Keycloak 1.7? There is known issue related to
this NoClassDefFoundError . You can workaround it by edit file
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
and add the line:
<module name="org.keycloak.keycloak-broker-core"/>
into dependencies section. Same for module
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
Marek
On 28/01/16 06:47, Adrian Matei wrote:
Hi everyone,
I am experimenting "too many redirects"/infinite loops issues in the
browser when I try to connect with social providers. I am also getting
internal server error on Chrome via google account (Caused by:
java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
configuration, but I did everything "by the book":
# realm Require SSL:none
#nginx
http {
gzip on;
gzip_proxied any;
#gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/html text/css application/json
application/x-javascript application/xml application/xml+rss
text/javascript application/javascript text/x-js;
#gzip_min_length 1000;
server_tokens off; #hides nginx version and OS running on
include /etc/nginx/mime.types;
upstream tomcat_server {
server localhost:8080;
}
upstream keycloak_server {
server localhost:8180;
}
server {
listen 80;
server_name podcastmania.ro <http://podcastmania.ro/>;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name podcastmania.ro <http://podcastmania.ro/>
www.podcastmania.ro <http://www.podcastmania.ro/>;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
root /opt/tomcat/webapps/ROOT;
try_files $uri /maintenance.html @tomcat;
}
location @tomcat {
proxy_pass http://tomcat_server <http://tomcat_server/>;
proxy_set_header Host $host; #to change the "Host"
header set by default to $proxy_host to $host - the originating host
request
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
root
/opt/keycloak/standalone/configuration/themes/keycloak/;
try_files $uri @keycloak;
}
location @keycloak {
proxy_pass http://keycloak_server
<http://keycloak_server/>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
# standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default"
socket-binding="http"
*redirect-socket="proxy-https"
proxy-address-forwarding="true"*/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:100}">
<socket-binding name="management-http"
interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https"
interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager"
port="4713"/>
* <socket-binding name="proxy-https" port="443"/>*
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
# app:spring security configuration
<context:component-scan
base-package="org.keycloak.adapters.springsecurity" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="keycloakAuthenticationProvider"
/>
</security:authentication-manager>
<bean id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
<constructor-arg value="classpath:keycloak.json" />
</bean>
<bean id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/>
<bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/>
<bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/>
<bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
<constructor-arg name="authenticationManager"
ref="authenticationManager" />
</bean>
<bean id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
<constructor-arg ref="adapterDeploymentContext" />
</bean>
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg name="logoutSuccessUrl" value="/" />
<constructor-arg name="handlers">
<list>
<ref bean="keycloakLogoutHandler" />
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
</list>
</constructor-arg>
<property name="logoutRequestMatcher">
<bean
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/sso/logout**"
/>
<constructor-arg name="httpMethod" value="GET" />
</bean>
</property>
</bean>
<security:http auto-config="false" use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/users/registration"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
<security:intercept-url
pattern="/users/password-forgotten/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/**/*"
access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" />
</security:http>
Has anyone faced similar issues?
Thanks,
Adrian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:23 a.m.
Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the
same "This webpage has a redirect loop" message when trying to sign in with
Google also...
On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
I suppose you're using Keycloak 1.7? There is known issue related
to this
NoClassDefFoundError . You can workaround it by edit file
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
and add the line:
<module name="org.keycloak.keycloak-broker-core"/>
into dependencies section. Same for module
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
Marek
On 28/01/16 06:47, Adrian Matei wrote:
Hi everyone,
I am experimenting "too many redirects"/infinite loops issues in the
browser when I try to connect with social providers. I am also getting
internal server error on Chrome via google account (Caused by:
java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
configuration, but I did everything "by the book":
# realm Require SSL:none
#nginx
http {
gzip on;
gzip_proxied any;
#gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/html text/css application/json
application/x-javascript application/xml application/xml+rss
text/javascript application/javascript text/x-js;
#gzip_min_length 1000;
server_tokens off; #hides nginx version and OS running on
include /etc/nginx/mime.types;
upstream tomcat_server {
server localhost:8080;
}
upstream keycloak_server {
server localhost:8180;
}
server {
listen 80;
server_name podcastmania.ro;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name podcastmania.ro <http://www.podcastmania.ro/>
www.podcastmania.ro;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
root /opt/tomcat/webapps/ROOT;
try_files $uri /maintenance.html @tomcat;
}
location @tomcat {
proxy_pass http://tomcat_server;
proxy_set_header Host $host; #to change the "Host" header
set by default to $proxy_host to $host - the originating host request
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
root
/opt/keycloak/standalone/configuration/themes/keycloak/;
try_files $uri @keycloak;
}
location @keycloak {
proxy_pass http://keycloak_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
# standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default"
socket-binding="http" *redirect-socket="proxy-https"
proxy-address-forwarding="true"*/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:100}">
<socket-binding name="management-http"
interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https"
interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager"
port="4713"/>
* <socket-binding name="proxy-https" port="443"/>*
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
# app:spring security configuration
<context:component-scan base-package="org.keycloak.adapters.springsecurity"
/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="keycloakAuthenticationProvider"
/></security:authentication-manager>
<bean id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
<constructor-arg value="classpath:keycloak.json"
/></bean><bean id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/><bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/><bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/><bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
<constructor-arg name="authenticationManager"
ref="authenticationManager" /></bean>
<bean id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
<constructor-arg ref="adapterDeploymentContext" /></bean>
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg name="logoutSuccessUrl" value="/" />
<constructor-arg name="handlers">
<list>
<ref bean="keycloakLogoutHandler" />
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
</list>
</constructor-arg>
<property name="logoutRequestMatcher">
<bean
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/sso/logout**" />
<constructor-arg name="httpMethod" value="GET" />
</bean>
</property></bean>
<security:http auto-config="false" use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/users/registration"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/**/*"
access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" /></security:http>
Has anyone faced similar issues?
Thanks,
Adrian
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
8:35 a.m.
Does login through Google works if you don't use nginx proxy? Is there
anything in the log?
Marek
On 28/01/16 13:23, Adrian Matei wrote:
Thanks Marek, that fixed the NoClassDefFoundError, but now I am
getting the same "This webpage has a redirect loop" message when
trying to sign in with Google also...
On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I suppose you're using Keycloak 1.7? There is known issue related
to this NoClassDefFoundError . You can workaround it by edit file
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
and add the line:
<module name="org.keycloak.keycloak-broker-core"/>
into dependencies section. Same for module
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
Marek
On 28/01/16 06:47, Adrian Matei wrote:
> Hi everyone,
>
> I am experimenting "too many redirects"/infinite loops issues in
> the browser when I try to connect with social providers. I am
> also getting internal server error on Chrome via google account
> (Caused by: java.lang.NoClassDefFoundError:
> org/keycloak/broker/provider/BrokeredIdentityContext). It might
> be my configuration, but I did everything "by the book":
>
> # realm Require SSL:none
>
> #nginx
> http {
> gzip on;
> gzip_proxied any;
> #gzip_proxied no-cache no-store private expired auth;
> gzip_types text/plain text/html text/css application/json
> application/x-javascript application/xml application/xml+rss
> text/javascript application/javascript text/x-js;
> #gzip_min_length 1000;
>
>
> server_tokens off; #hides nginx version and OS running on
> include /etc/nginx/mime.types;
>
>
> upstream tomcat_server {
> server localhost:8080;
> }
> upstream keycloak_server {
> server localhost:8180;
> }
>
> server {
> listen 80;
> server_name podcastmania.ro
> <http://podcastmania.ro/>;
> return 301 https://$host$request_uri;
> }
>
> server {
>
> listen 443 ssl;
>
> server_name podcastmania.ro
> <http://podcastmania.ro/> www.podcastmania.ro
> <http://www.podcastmania.ro>;
>
> ssl_certificate /etc/nginx/ssl/nginx.crt;
> ssl_certificate_key /etc/nginx/ssl/nginx.key;
> location / {
> root /opt/tomcat/webapps/ROOT;
> try_files $uri /maintenance.html @tomcat;
> }
>
> location @tomcat {
> proxy_pass http://tomcat_server
> <http://tomcat_server/>;
>
> proxy_set_header Host $host; #to change the
> "Host" header set by default to $proxy_host to $host - the
> originating host request
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> }
>
>
> location /auth/ {
> root
> /opt/keycloak/standalone/configuration/themes/keycloak/;
> try_files $uri @keycloak;
> }
>
> location @keycloak {
> proxy_pass http://keycloak_server
> <http://keycloak_server/>;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Port 443;
> }
>
>
> }
>
>
> # standalone.xml
> <subsystem xmlns="urn:jboss:domain:undertow:2.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default"
> socket-binding="http" *redirect-socket="proxy-https"
> proxy-address-forwarding="true"*/>
> <host name="default-host"
alias="localhost">
> <location name="/"
handler="welcome-content"/>
> <filter-ref name="server-header"/>
> <filter-ref name="x-powered-by-header"/>
> </host>
> </server>
>
> <socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:100}">
> <socket-binding name="management-http"
> interface="management"
port="${jboss.management.http.port:9990}"/>
> <socket-binding name="management-https"
> interface="management"
port="${jboss.management.https.port:9993}"/>
> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
> <socket-binding name="http"
port="${jboss.http.port:8080}"/>
> <socket-binding name="https"
> port="${jboss.https.port:8443}"/>
> <socket-binding name="txn-recovery-environment"
port="4712"/>
> <socket-binding name="txn-status-manager"
port="4713"/>
> * <socket-binding name="proxy-https"
port="443"/>*
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost"
port="25"/>
> </outbound-socket-binding>
> </socket-binding-group>
>
> # app:spring security configuration
> <context:component-scan
> base-package="org.keycloak.adapters.springsecurity" />
>
> <security:authentication-manager alias="authenticationManager">
> <security:authentication-provider
> ref="keycloakAuthenticationProvider" />
> </security:authentication-manager>
>
> <bean id="adapterDeploymentContext"
>
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
> <constructor-arg value="classpath:keycloak.json" />
> </bean>
> <bean id="keycloakAuthenticationEntryPoint"
>
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
> />
> <bean id="keycloakAuthenticationProvider"
>
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
> />
> <bean id="keycloakPreAuthActionsFilter"
>
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
> />
> <bean id="keycloakAuthenticationProcessingFilter"
>
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
> <constructor-arg name="authenticationManager"
> ref="authenticationManager" />
> </bean>
>
> <bean id="keycloakLogoutHandler"
>
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
> <constructor-arg ref="adapterDeploymentContext" />
> </bean>
>
> <bean id="logoutFilter"
>
class="org.springframework.security.web.authentication.logout.LogoutFilter">
> <constructor-arg name="logoutSuccessUrl" value="/"
/>
> <constructor-arg name="handlers">
> <list>
> <ref bean="keycloakLogoutHandler" />
> <bean
>
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
> />
> </list>
> </constructor-arg>
> <property name="logoutRequestMatcher">
> <bean
>
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
> <constructor-arg name="pattern"
value="/sso/logout**" />
> <constructor-arg name="httpMethod" value="GET"
/>
> </bean>
> </property>
> </bean>
>
> <security:http auto-config="false" use-expressions="true"
> entry-point-ref="keycloakAuthenticationEntryPoint">
> <security:custom-filter ref="keycloakPreAuthActionsFilter"
> before="LOGOUT_FILTER" />
> <security:custom-filter
> ref="keycloakAuthenticationProcessingFilter"
> before="FORM_LOGIN_FILTER" />
> <security:intercept-url pattern="/users/registration"
> access="permitAll"/>
> <security:intercept-url
> pattern="/users/registration/confirm-email"
access="permitAll"/>
> <security:intercept-url pattern="/users/registration/confirmed"
> access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten"
> access="permitAll"/>
> <security:intercept-url
> pattern="/users/password-forgotten/confirm-email"
> access="permitAll"/>
> <security:intercept-url
> pattern="/users/password-forgotten/confirmed"
access="permitAll"/>
> <security:intercept-url pattern="/users/**/*"
> access="hasRole('ROLE_USER')"/>
> <security:intercept-url pattern="/**"
access="permitAll"/>
> <security:custom-filter ref="logoutFilter"
> position="LOGOUT_FILTER" />
> </security:http>
>
> Has anyone faced similar issues?
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2:12 p.m.
Hi Marek,
everything works fine with both fb and google logins via nginx as reverse
proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I
get either "Invalid parameter:redirect_uri" (the redirect_uri query
parameter is generated with *http, not https* in the navigation bar) before
reaching the login form dialog or the redirect loops (fb login) or Error:
redirect_uri_mismatch with google login if I manage to get passed that...
In the realm client configuration I've added both https://podcastmania.ro/*
and http://podcastmania.ro/* as valid redirect URIs.
Note: the builtin account application can be accessed correctly both with
fb and google via https too...
I guess the next step would be to try to secure also the channel between
nginx and keycloak, but that shouldn't be mandatory right?...
Thanks,
Adrian
On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Does login through Google works if you don't use nginx proxy? Is
there
anything in the log?
Marek
On 28/01/16 13:23, Adrian Matei wrote:
Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting
the same "This webpage has a redirect loop" message when trying to sign in
with Google also...
On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> I suppose you're using Keycloak 1.7? There is known issue related to this
> NoClassDefFoundError . You can workaround it by edit file
>
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
> and add the line:
>
> <module name="org.keycloak.keycloak-broker-core"/>
>
> into dependencies section. Same for module
>
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
>
> Marek
>
>
>
> On 28/01/16 06:47, Adrian Matei wrote:
>
> Hi everyone,
>
> I am experimenting "too many redirects"/infinite loops issues in the
> browser when I try to connect with social providers. I am also getting
> internal server error on Chrome via google account (Caused by:
> java.lang.NoClassDefFoundError:
> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
> configuration, but I did everything "by the book":
>
> # realm Require SSL:none
>
> #nginx
> http {
> gzip on;
> gzip_proxied any;
> #gzip_proxied no-cache no-store private expired auth;
> gzip_types text/plain text/html text/css application/json
> application/x-javascript application/xml application/xml+rss
> text/javascript application/javascript text/x-js;
> #gzip_min_length 1000;
>
>
> server_tokens off; #hides nginx version and OS running on
> include /etc/nginx/mime.types;
>
>
> upstream tomcat_server {
> server localhost:8080;
> }
> upstream keycloak_server {
> server localhost:8180;
> }
>
> server {
> listen 80;
> server_name podcastmania.ro;
> return 301 <https://$host$request_uri>
> https://$host$request_uri;
> }
>
> server {
>
> listen 443 ssl;
>
> server_name podcastmania.ro <http://www.podcastmania.ro>
> www.podcastmania.ro;
>
> ssl_certificate /etc/nginx/ssl/nginx.crt;
> ssl_certificate_key /etc/nginx/ssl/nginx.key;
> location / {
> root /opt/tomcat/webapps/ROOT;
> try_files $uri /maintenance.html @tomcat;
> }
>
> location @tomcat {
> proxy_pass <http://tomcat_server/>http://tomcat_server;
>
> proxy_set_header Host $host; #to change the "Host" header
> set by default to $proxy_host to $host - the originating host request
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> }
>
>
> location /auth/ {
> root
> /opt/keycloak/standalone/configuration/themes/keycloak/;
> try_files $uri @keycloak;
> }
>
> location @keycloak {
> proxy_pass <http://keycloak_server/>
> http://keycloak_server;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Port 443;
> }
>
>
> }
>
>
> # standalone.xml
> <subsystem xmlns="urn:jboss:domain:undertow:2.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default"
socket-binding="http" *redirect-socket="proxy-https"
> proxy-address-forwarding="true"*/>
> <host name="default-host"
alias="localhost">
> <location name="/"
handler="welcome-content"/>
> <filter-ref name="server-header"/>
> <filter-ref name="x-powered-by-header"/>
> </host>
> </server>
>
> <socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:100}">
> <socket-binding name="management-http"
interface="management"
> port="${jboss.management.http.port:9990}"/>
> <socket-binding name="management-https"
interface="management"
> port="${jboss.management.https.port:9993}"/>
> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
> <socket-binding name="http"
port="${jboss.http.port:8080}"/>
> <socket-binding name="https"
port="${jboss.https.port:8443}"/>
> <socket-binding name="txn-recovery-environment"
port="4712"/>
> <socket-binding name="txn-status-manager"
port="4713"/>
> * <socket-binding name="proxy-https" port="443"/>*
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost"
port="25"/>
> </outbound-socket-binding>
> </socket-binding-group>
>
> # app:spring security configuration
>
> <context:component-scan
base-package="org.keycloak.adapters.springsecurity" />
> <security:authentication-manager alias="authenticationManager">
> <security:authentication-provider ref="keycloakAuthenticationProvider"
/></security:authentication-manager>
> <bean id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
> <constructor-arg value="classpath:keycloak.json"
/></bean><bean id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/><bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/><bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/><bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
> <constructor-arg name="authenticationManager"
ref="authenticationManager" /></bean>
> <bean id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
> <constructor-arg ref="adapterDeploymentContext" /></bean>
> <bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
> <constructor-arg name="logoutSuccessUrl" value="/" />
> <constructor-arg name="handlers">
> <list>
> <ref bean="keycloakLogoutHandler" />
> <bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
> </list>
> </constructor-arg>
> <property name="logoutRequestMatcher">
> <bean
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
> <constructor-arg name="pattern" value="/sso/logout**"
/>
> <constructor-arg name="httpMethod" value="GET" />
> </bean>
> </property></bean>
> <security:http auto-config="false" use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
> <security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
> <security:custom-filter ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
> <security:intercept-url pattern="/users/registration"
access="permitAll"/>
> <security:intercept-url pattern="/users/registration/confirm-email"
access="permitAll"/>
> <security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
> <security:intercept-url
pattern="/users/password-forgotten/confirm-email"
access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten/confirmed"
access="permitAll"/>
> <security:intercept-url pattern="/users/**/*"
access="hasRole('ROLE_USER')"/>
> <security:intercept-url pattern="/**"
access="permitAll"/>
> <security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" /></security:http>
>
>
> Has anyone faced similar issues?
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
2:07 a.m.
Ran into your issue, found that securing the channel between nginx and keycloak did the
trick.
—Doug
From:
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
on behalf of Adrian Matei
<adrianmatei@gmail.com<mailto:adrianmatei@gmail.com>>
Date: Friday, January 29, 2016 at 4:12 AM
To: Marek Posolda <mposolda@redhat.com<mailto:mposolda@redhat.com>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue
Hi Marek,
everything works fine with both fb and google logins via nginx as reverse proxy, as long
as I do everything over HTTP. Once I switch to HTTPS now I get either "Invalid
parameter:redirect_uri" (the redirect_uri query parameter is generated with http, not
https in the navigation bar) before reaching the login form dialog or the redirect loops
(fb login) or Error: redirect_uri_mismatch with google login if I manage to get passed
that... In the realm client configuration I've added both https://podcastmania.ro/*
and http://podcastmania.ro/* as valid redirect URIs.
Note: the builtin account application can be accessed correctly both with fb and google
via https too...
I guess the next step would be to try to secure also the channel between nginx and
keycloak, but that shouldn't be mandatory right?...
Thanks,
Adrian
On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda
<mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote:
Does login through Google works if you don't use nginx proxy? Is there anything in the
log?
Marek
On 28/01/16 13:23, Adrian Matei wrote:
Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the same
"This webpage has a redirect loop" message when trying to sign in with Google
also...
On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda
<mposolda@redhat.com<mailto:mposolda@redhat.com>> wrote:
I suppose you're using Keycloak 1.7? There is known issue related to this
NoClassDefFoundError . You can workaround it by edit file
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
and add the line:
<module name="org.keycloak.keycloak-broker-core"/>
into dependencies section. Same for module
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
Marek
On 28/01/16 06:47, Adrian Matei wrote:
Hi everyone,
I am experimenting "too many redirects"/infinite loops issues in the browser
when I try to connect with social providers. I am also getting internal server error on
Chrome via google account (Caused by: java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext). It might be my configuration, but I
did everything "by the book":
# realm Require SSL:none
#nginx
http {
gzip on;
gzip_proxied any;
#gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/html text/css application/json application/x-javascript
application/xml application/xml+rss text/javascript application/javascript text/x-js;
#gzip_min_length 1000;
server_tokens off; #hides nginx version and OS running on
include /etc/nginx/mime.types;
upstream tomcat_server {
server localhost:8080;
}
upstream keycloak_server {
server localhost:8180;
}
server {
listen 80;
server_name podcastmania.ro<http://podcastmania.ro/>;
return 301 <https://$host$request_uri> https://$host$request_uri;
}
server {
listen 443 ssl;
server_name podcastmania.ro<http://podcastmania.ro/>
<http://www.podcastmania.ro> www.podcastmania.ro<http://www.podcastmania.ro>;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
root /opt/tomcat/webapps/ROOT;
try_files $uri /maintenance.html @tomcat;
}
location @tomcat {
proxy_pass <http://tomcat_server/> http://tomcat_server;
proxy_set_header Host $host; #to change the "Host" header set by
default to $proxy_host to $host - the originating host request
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
root /opt/keycloak/standalone/configuration/themes/keycloak/;
try_files $uri @keycloak;
}
location @keycloak {
proxy_pass <http://keycloak_server/> http://keycloak_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
# standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"
redirect-socket="proxy-https" proxy-address-forwarding="true"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:100}">
<socket-binding name="management-http"
interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https"
interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
<socket-binding name="http"
port="${jboss.http.port:8080}"/>
<socket-binding name="https"
port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment"
port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<socket-binding name="proxy-https" port="443"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
# app:spring security configuration
<context:component-scan base-package="org.keycloak.adapters.springsecurity"
/><security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="keycloakAuthenticationProvider"
/></security:authentication-manager><bean
id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
<constructor-arg value="classpath:keycloak.json" /></bean><bean
id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/><bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/><bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/><bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
<constructor-arg name="authenticationManager"
ref="authenticationManager" /></bean><bean
id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
<constructor-arg ref="adapterDeploymentContext" /></bean><bean
id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg name="logoutSuccessUrl" value="/" />
<constructor-arg name="handlers">
<list>
<ref bean="keycloakLogoutHandler" />
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
</list>
</constructor-arg>
<property name="logoutRequestMatcher">
<bean
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/sso/logout**" />
<constructor-arg name="httpMethod" value="GET" />
</bean>
</property></bean><security:http auto-config="false"
use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/users/registration"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/**/*"
access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" /></security:http>
Has anyone faced similar issues?
Thanks,
Adrian
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user
12:13 a.m.
Hey Doug,
Thanks for the info. Did that too, but I am still getting that infamous
invalid *redirect_uri* which contains *http* instead of *https*, though I
set up https everywhere - need to look at it with a fresh mind I guess...
Adrian
On Fri, Jan 29, 2016 at 9:07 AM, Doug Szeto <DSzeto(a)investlab.com> wrote:
Ran into your issue, found that securing the channel between nginx
and
keycloak did the trick.
—Doug
From: <keycloak-user-bounces(a)lists.jboss.org> on behalf of Adrian Matei <
adrianmatei(a)gmail.com>
Date: Friday, January 29, 2016 at 4:12 AM
To: Marek Posolda <mposolda(a)redhat.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many
redirects issue
Hi Marek,
everything works fine with both fb and google logins via nginx as reverse
proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I
get either "Invalid parameter:redirect_uri" (the redirect_uri query
parameter is generated with *http, not https* in the navigation bar)
before reaching the login form dialog or the redirect loops (fb login) or Error:
redirect_uri_mismatch with google login if I manage to get passed that...
In the realm client configuration I've added both
https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect
URIs.
Note: the builtin account application can be accessed correctly both with
fb and google via https too...
I guess the next step would be to try to secure also the channel between
nginx and keycloak, but that shouldn't be mandatory right?...
Thanks,
Adrian
On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> Does login through Google works if you don't use nginx proxy? Is there
> anything in the log?
>
> Marek
>
>
> On 28/01/16 13:23, Adrian Matei wrote:
>
> Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting
> the same "This webpage has a redirect loop" message when trying to sign in
> with Google also...
>
> On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
>
>> I suppose you're using Keycloak 1.7? There is known issue related to
>> this NoClassDefFoundError . You can workaround it by edit file
>>
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
>> and add the line:
>>
>> <module name="org.keycloak.keycloak-broker-core"/>
>>
>> into dependencies section. Same for module
>>
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
>>
>> Marek
>>
>>
>>
>> On 28/01/16 06:47, Adrian Matei wrote:
>>
>> Hi everyone,
>>
>> I am experimenting "too many redirects"/infinite loops issues in the
>> browser when I try to connect with social providers. I am also getting
>> internal server error on Chrome via google account (Caused by:
>> java.lang.NoClassDefFoundError:
>> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
>> configuration, but I did everything "by the book":
>>
>> # realm Require SSL:none
>>
>> #nginx
>> http {
>> gzip on;
>> gzip_proxied any;
>> #gzip_proxied no-cache no-store private expired auth;
>> gzip_types text/plain text/html text/css application/json
>> application/x-javascript application/xml application/xml+rss
>> text/javascript application/javascript text/x-js;
>> #gzip_min_length 1000;
>>
>>
>> server_tokens off; #hides nginx version and OS running on
>> include /etc/nginx/mime.types;
>>
>>
>> upstream tomcat_server {
>> server localhost:8080;
>> }
>> upstream keycloak_server {
>> server localhost:8180;
>> }
>>
>> server {
>> listen 80;
>> server_name podcastmania.ro;
>> return 301 <https://$host$request_uri>
>> https://$host$request_uri;
>> }
>>
>> server {
>>
>> listen 443 ssl;
>>
>> server_name podcastmania.ro
>> <http://www.podcastmania.ro>www.podcastmania.ro;
>>
>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>> location / {
>> root /opt/tomcat/webapps/ROOT;
>> try_files $uri /maintenance.html @tomcat;
>> }
>>
>> location @tomcat {
>> proxy_pass <http://tomcat_server/>http://tomcat_server;
>>
>> proxy_set_header Host $host; #to change the "Host"
>> header set by default to $proxy_host to $host - the originating host request
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> }
>>
>>
>> location /auth/ {
>> root
>> /opt/keycloak/standalone/configuration/themes/keycloak/;
>> try_files $uri @keycloak;
>> }
>>
>> location @keycloak {
>> proxy_pass <http://keycloak_server/>
>> http://keycloak_server;
>>
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $scheme;
>> proxy_set_header X-Forwarded-Port 443;
>> }
>>
>>
>> }
>>
>>
>> # standalone.xml
>> <subsystem xmlns="urn:jboss:domain:undertow:2.0">
>> <buffer-cache name="default"/>
>> <server name="default-server">
>> <http-listener name="default"
socket-binding="http" *redirect-socket="proxy-https"
>> proxy-address-forwarding="true"*/>
>> <host name="default-host"
alias="localhost">
>> <location name="/"
handler="welcome-content"/>
>> <filter-ref name="server-header"/>
>> <filter-ref name="x-powered-by-header"/>
>> </host>
>> </server>
>>
>> <socket-binding-group name="standard-sockets"
>> default-interface="public"
>> port-offset="${jboss.socket.binding.port-offset:100}">
>> <socket-binding name="management-http"
interface="management"
>> port="${jboss.management.http.port:9990}"/>
>> <socket-binding name="management-https"
interface="management"
>> port="${jboss.management.https.port:9993}"/>
>> <socket-binding name="ajp"
port="${jboss.ajp.port:8009}"/>
>> <socket-binding name="http"
port="${jboss.http.port:8080}"/>
>> <socket-binding name="https"
port="${jboss.https.port:8443}"/>
>> <socket-binding name="txn-recovery-environment"
port="4712"/>
>> <socket-binding name="txn-status-manager"
port="4713"/>
>> * <socket-binding name="proxy-https"
port="443"/>*
>> <outbound-socket-binding name="mail-smtp">
>> <remote-destination host="localhost"
port="25"/>
>> </outbound-socket-binding>
>> </socket-binding-group>
>>
>> # app:spring security configuration
>>
>> <context:component-scan
base-package="org.keycloak.adapters.springsecurity"
/><security:authentication-manager alias="authenticationManager">
>> <security:authentication-provider
ref="keycloakAuthenticationProvider"
/></security:authentication-manager><bean
id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
>> <constructor-arg value="classpath:keycloak.json"
/></bean><bean id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/><bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/><bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/><bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
>> <constructor-arg name="authenticationManager"
ref="authenticationManager" /></bean><bean
id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
>> <constructor-arg ref="adapterDeploymentContext"
/></bean><bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
>> <constructor-arg name="logoutSuccessUrl" value="/"
/>
>> <constructor-arg name="handlers">
>> <list>
>> <ref bean="keycloakLogoutHandler" />
>> <bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
>> </list>
>> </constructor-arg>
>> <property name="logoutRequestMatcher">
>> <bean
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
>> <constructor-arg name="pattern"
value="/sso/logout**" />
>> <constructor-arg name="httpMethod" value="GET"
/>
>> </bean>
>> </property></bean><security:http auto-config="false"
use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
>> <security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
>> <security:custom-filter
ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
>> <security:intercept-url pattern="/users/registration"
access="permitAll"/>
>> <security:intercept-url
pattern="/users/registration/confirm-email" access="permitAll"/>
>> <security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
>> <security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
>> <security:intercept-url
pattern="/users/password-forgotten/confirm-email"
access="permitAll"/>
>> <security:intercept-url
pattern="/users/password-forgotten/confirmed" access="permitAll"/>
>> <security:intercept-url pattern="/users/**/*"
access="hasRole('ROLE_USER')"/>
>> <security:intercept-url pattern="/**"
access="permitAll"/>
>> <security:custom-filter ref="logoutFilter"
position="LOGOUT_FILTER" /></security:http>
>>
>>
>> Has anyone faced similar issues?
>>
>> Thanks,
>> Adrian
>>
>>
>> _______________________________________________
>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
3253
days inactive
3255
days old
6 comments
3 participants
participants (3)
-
Adrian Matei -
Doug Szeto -
Marek Posolda