10:19 a.m.
Hi,
We are running Keycloak in production on one of our servers. For now, Keycloak is used to
connect to two of our services, both of them acceded by HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other (service #2) is
on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1 on some
localhost ports, and service #2 on an external ip address.
When we authenticate on service #1, we have no problem, but when we authenticate on
service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the Keycloak object with
the data (user, token, etc.), but the page refresh automatically.
When the page refresh, it's not caused by a logout call on our Javascript code.
Do you have any idea what it can be?
We are using Keycloak version 2.2.1 FINAL.
Thank you,
Ian
Nothing in this message is intended to constitute an electronic signature unless a
specific statement to the contrary is included in this message.
Confidentiality Note: This message is intended only for the person or entity to which it
is addressed. It may contain confidential and/or privileged material. Any review,
transmission, dissemination or other use, or taking of any action in reliance upon this
message by persons or entities other than the intended recipient is strictly prohibited
and may be unlawful. Communication by email is not a secure medium and, as part of the
transmission process, this message may be copied to servers operated by third parties
while in transit. If you received this message in error, please immediately contact the
sender by reply email and delete it from your computer, including any attachments.
1:10 p.m.
Hello,
do you see any errors in the keycloak logs?
I experienced the same error multiple times - reasons were either wrong
proxy configuration or wrong keycloak.json or database connectivity
problems on a load-balanced second Keycloak instance.
Since the service on localhost is not affected it could be that your proxy
configuration is wrong.
If you do ssl-termination in the proxy make sure that you set the right
proxy headers:
(from an older mailing list thread)
proxy_pass http://your-upstream-here;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # <- only set this if you’re
using SSL
Also remember to configure proxy-address forwarding in undertow:
echo SETUP: Configure Undertow Proxy-Address-Forwarding for use behind
Reverse Proxy
/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=proxy-address-forwarding,value=true)
For additional debugging you could also configure undertow in Wildfly to
dump all requests to the log
$KEYCLOAK_HOME/bin/jboss-cli.sh -c
/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)
/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
/:reload
Which ssl-mode did you configure in Keycloak admin-console?
Keycloak handles certain IPs differently when set to "ssl-mode: external".
This could explain why
See "ssl-mode" at: https://keycloak.gitbooks.io/server-adminstration-guide/
content/v/2.3/topics/realms/ssl.html
Try setting "ssl-required: none" in keycloak.json on the second service (if
internal and after ssl termination...):
https://keycloak.gitbooks.io/securing-client-applications-gu
ide/content/v/2.3/topics/oidc/java/java-adapter-config.html
Cheers,
Thomas
Am 04.11.2016 4:20 nachm. schrieb "Ian Lachance" <
ian.lachance(a)bionxinternational.com>:
Hi,
We are running Keycloak in production on one of our servers. For now,
Keycloak is used to connect to two of our services, both of them acceded by
HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other
(service #2) is on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1
on some localhost ports, and service #2 on an external ip address.
When we authenticate on service #1, we have no problem, but when we
authenticate on service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the
Keycloak object with the data (user, token, etc.), but the page refresh
automatically.
When the page refresh, it's not caused by a logout call on our Javascript
code.
Do you have any idea what it can be?
We are using Keycloak version 2.2.1 FINAL.
Thank you,
Ian
Nothing in this message is intended to constitute an electronic signature
unless a specific statement to the contrary is included in this message.
Confidentiality Note: This message is intended only for the person or
entity to which it is addressed. It may contain confidential and/or
privileged material. Any review, transmission, dissemination or other use,
or taking of any action in reliance upon this message by persons or
entities other than the intended recipient is strictly prohibited and may
be unlawful. Communication by email is not a secure medium and, as part of
the transmission process, this message may be copied to servers operated by
third parties while in transit. If you received this message in error,
please immediately contact the sender by reply email and delete it from
your computer, including any attachments.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2988
days inactive
2988
days old
1 comments
2 participants
participants (2)
-
Ian Lachance -
Thomas Darimont