Hi!
Are you using Tomcat? Please have a look at the two documents below. You
need to configure Tomcat properly when behind a load balancer and not using
AJP.
Best regards,
Thomas
On Dec 19, 2016 10:07 PM, "Michael Furman" <michael_furman(a)hotmail.com>
wrote:
HI Sebastien,
I really need your help.
I read the thread, I have configured the Apache HTTP proxy to send all
required X-Forward* headers.
Unfortunately the redirect URI string still created in the wrong way.
According to my understanding in the Spring Security Adapter should be
code that handle the X-Forward* headers.
Like io.undertow.server.handlers.ProxyPeerAddressHandler in the IDP.
Can you point me to the code that handle the X-Forward* headers?
May be I will found the bug and I will be able to fix it.
Thanks in advance,
Best regards,
Michael
________________________________
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: Thursday, December 15, 2016 12:45 PM
To: Michael Furman
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: How to work with SpringSecurity adapter behind HTTP proxy?
Hi Michael !
Before we do any code change , could you check if your answer is not in
the following thread ?
http://lists.jboss.org/
pipermail/keycloak-user/2016-May/006287.html
Looks like SpringSec should handle correctly the x-forwarded-proto and
host headers ...
On Thu, Dec 15, 2016 at 9:10 AM, Michael Furman <
michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote:
HI Sebastien,
(I have changed the subject since the root cause of the problem is
different).
I have debugged the code and I have found the following.
Please look at getRedirectUri of org.keycloak.adapters.
OAuthRequestAuthenticator:
It just takes the request URI and creates the redirect URI string:
protected String getRedirectUri(String state) {
String url = this.getRequestUrl();
Please note that when you work behind getRequestUrl() will always be
localhost and therefore I think SpringSecurity adapter can not work behind
HTTP proxy.
How can I change the code in the minimal way it will support the HTTP
proxy?
Best regards,
Michael
________________________________
From: Michael Furman <michael_furman(a)hotmail.com<mailto:
michael_furman(a)hotmail.com>>
Sent: Tuesday, December 13, 2016 2:25 PM
To: Sebastien Blanc
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
SpringSecurity adapter over HTTPS.
Thanks Sebastien,
I see the link but supposed it is related only to Keycloak IDP.
Is it also relevant to SpringSecurity adapter?
Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers?
Best regards,
Michael
________________________________
From: Sebastien Blanc <sblanc@redhat.com<mailto:sblanc@redhat.com>>
Sent: Tuesday, December 13, 2016 2:19 PM
To: Michael Furman
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
SpringSecurity adapter over HTTPS.
TBH I have not that much experience with configuring a proxy but :
- Have you looked at
https://keycloak.gitbooks.io/server-installation-and-
configuration/content/topics/clustering/load-balancer.html (it also cover
proxy configuration)
- Search the user list, I see often question around this maybe you can
find your answer there)
On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman <
michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>> wrote:
HI Sebastien,
The problem is not related to HTTPS but to the reverse proxy
When I access to SpringSecurity adapter RP over HTTP but behind the Apache
HTTPD reverse proxy (the client configuration in IDP configured also HTTP)
the redirect_uri is replaced to localhost:
http://192.168.110.2:9080/auth/realms/master/protocol/
openid-connect/auth?response_type=code&client_id=
testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%
2Fapp%2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-
1f99d2278836&login=true&scope=openid
Then, I get the error
WE'RE SORRY ...
Invalid parameter: redirect_uri
What should I configure to allow to work with proxy?
Any help will be appreciated.
Best regards,
Michael
________________________________
From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-
user-bounces(a)lists.jboss.org> <keycloak-user-bounces(a)lists.jboss.org
<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Michael
Furman <michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>>
Sent: Tuesday, December 13, 2016 1:17 PM
To: Sebastien Blanc
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
SpringSecurity adapter over HTTPS.
Hi,
Important clarification:
The HTTPS handshake is by Apache httpd server that is also reverse proxy
for Tomcat.
Tomcat is located on the same ip.
SpringSecurity RP is deployed in Tomcat.
Best regards
On Dec 13, 2016 12:44 PM, Michael Furman <michael_furman(a)hotmail.com<
mailto:michael_furman@hotmail.com>> wrote:
Example 2:
SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
configured also HTTPS)
IDP is over HTTP
Example 3:
SpringSecurity adapter RP is over HTTP (the client configuration in IDP
configured also HTTP)
IDP is over HTTP
BTW,
Example 1:
SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
configured also HTTPS)
IDP is over HTTPS
________________________________
From: Sebastien Blanc <sblanc@redhat.com<mailto:sblanc@redhat.com>>
Sent: Tuesday, December 13, 2016 12:23 PM
To: Michael Furman
Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
SpringSecurity adapter over HTTPS.
What is the difference between your example 2 and example 3 ?
On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman <
michael_furman@hotmail.com<mailto:michael_furman@hotmail.com><mailto:
michael_furman@hotmail.com<mailto:michael_furman@hotmail.com>>> wrote:
Hi all,
I try to access from SpringSecurity adapter over HTTPS without success.
When I try to access to IDP over HTTPS the redirect_uri is replaced to
localhost:
https://192.168.110.2:8443/auth/realms/master/protocol/
openid-connect/auth?response_type=code&client_id=
testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%
2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-
ba1e3eae8084&login=true&scope=openid
Then I get this error in UI:
WE'RE SORRY ...
Invalid parameter: redirect_uri
Similar, when I try to access to IDP over HTTP, the redirect_uri is
replaced to localhost:
http://192.168.110.2:9080/auth/realms/master/protocol/
openid-connect/auth?response_type=code&client_id=
testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%
2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-
07d0a7f4bc99&login=true&scope=openid
Same error in UI:
WE'RE SORRY ...
Invalid parameter: redirect_uri
Only if I access from SpringSecurity adapter over HTTP the redirect_uri
has correct value and it works:
http://192.168.110.2:9080/auth/realms/master/protocol/
openid-connect/auth?response_type=code&client_id=
testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%
2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-
c882c9625479&login=true&scope=openid
Finally I can see the login page.
What wrong in my configurations?
Any help will be appreciated.
Best regards,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org
><mailto:keycloak-user@lists.jboss.org<mailto:ke
ycloak-user(a)lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.
org/mailman/listinfo/keycloak-user>
lists.jboss.org<http://lists.jboss.org>
To see the collection of prior postings to the list, visit the
keycloak-user Archives. Using keycloak-user: To post a message to all the
list members ...
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.
org/mailman/listinfo/keycloak-user>
lists.jboss.org<http://lists.jboss.org>
To see the collection of prior postings to the list, visit the
keycloak-user Archives. Using keycloak-user: To post a message to all the
list members ...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user