6:41 a.m.
Hi all,
I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an
upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
The config file is as follows:
discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
roles:
- admin
In the logs I receive the following upon a successful login:
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no
session found in request, redirecting for
authorization","error":"authentication session not found"}
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming
authorization request from client
address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable
to verify the id token","error":"the access token has expired"}
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
And of course, I am not redirected back to the requested URL.
I have configured the gatekeeper as a confidential client in Keycloak, and have added the
redirect_uri http://gatekeeper:80/oauth/callback
Any hints?
Thanks in advance,
Ronald
6:58 a.m.
I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it
is a compatibility issue, please let me know so that I upgrade Keycloak.
Thanks in advance,
Ronald
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Ronald Demneri
Sent: 15.Feb.2019 1:41 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Keycloak gatekeeper issue
Hi all,
I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an
upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
The config file is as follows:
discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
roles:
- admin
In the logs I receive the following upon a successful login:
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no
session found in request, redirecting for
authorization","error":"authentication session not found"}
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming
authorization request from client
address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable
to verify the id token","error":"the access token has expired"}
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
And of course, I am not redirected back to the requested URL.
I have configured the gatekeeper as a confidential client in Keycloak, and have added the
redirect_uri http://gatekeeper:80/oauth/callback
Any hints?
Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:44 p.m.
Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
Regards,
Ronald
-----Original Message-----
From: Ronald Demneri <ronald.demneri(a)amdtia.com>
Sent: 15.Feb.2019 1:59 PM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>; keycloak-user(a)lists.jboss.org
Subject: RE: Keycloak gatekeeper issue
I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it
is a compatibility issue, please let me know so that I upgrade Keycloak.
Thanks in advance,
Ronald
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Ronald Demneri
Sent: 15.Feb.2019 1:41 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Keycloak gatekeeper issue
Hi all,
I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an
upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
The config file is as follows:
discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
roles:
- admin
In the logs I receive the following upon a successful login:
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no
session found in request, redirecting for
authorization","error":"authentication session not found"}
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming
authorization request from client
address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable
to verify the id token","error":"the access token has expired"}
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
And of course, I am not redirected back to the requested URL.
I have configured the gatekeeper as a confidential client in Keycloak, and have added the
redirect_uri http://gatekeeper:80/oauth/callback
Any hints?
Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:47 a.m.
Hi,
How do you generate your initial token ?
From the logs looks like it's already expired when you send it to
the
Gatekeeper.
On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri
<ronald.demneri(a)amdtia.com> wrote:
Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
Regards,
Ronald
-----Original Message-----
From: Ronald Demneri <ronald.demneri(a)amdtia.com>
Sent: 15.Feb.2019 1:59 PM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>; keycloak-user(a)lists.jboss.org
Subject: RE: Keycloak gatekeeper issue
I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it
is a compatibility issue, please let me know so that I upgrade Keycloak.
Thanks in advance,
Ronald
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Ronald Demneri
Sent: 15.Feb.2019 1:41 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Keycloak gatekeeper issue
Hi all,
I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an
upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
The config file is as follows:
discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
roles:
- admin
In the logs I receive the following upon a successful login:
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no
session found in request, redirecting for
authorization","error":"authentication session not found"}
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming
authorization request from client
address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable
to verify the id token","error":"the access token has expired"}
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
And of course, I am not redirected back to the requested URL.
I have configured the gatekeeper as a confidential client in Keycloak, and have added the
redirect_uri http://gatekeeper:80/oauth/callback
Any hints?
Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:10 a.m.
Hi Sebastien,
I try to login to the app, I get redirected to Keycloak where I am authenticated and then
I receive the error in the Gatekeeper console. Of course, the redirection back to the app
is not working. And the fact that the token is already expired is making me scratch my
head and the reason why I posted to the userlist.
If you need some more information to help me troubleshoot and hopefully resolve it, please
let me know.
Thanks in advance,
Ronald
-----Original Message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: 07.Mar.2019 7:48 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi,
How do you generate your initial token ?
From the logs looks like it's already expired when you send it to
the Gatekeeper.
On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri(a)amdtia.com> wrote:
Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
Regards,
Ronald
-----Original Message-----
From: Ronald Demneri <ronald.demneri(a)amdtia.com>
Sent: 15.Feb.2019 1:59 PM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>;
keycloak-user(a)lists.jboss.org
Subject: RE: Keycloak gatekeeper issue
I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it
is a compatibility issue, please let me know so that I upgrade Keycloak.
Thanks in advance,
Ronald
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
<keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Ronald Demneri
Sent: 15.Feb.2019 1:41 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Keycloak gatekeeper issue
Hi all,
I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an
upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
The config file is as follows:
discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
roles:
- admin
In the logs I receive the following upon a successful login:
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
/middleware.go:108","msg":"no session found in request, redirecting
for authorization","error":"authentication session not found"}
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
middleware.go:90","msg":"client
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
53.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
/handlers.go:88","msg":"incoming authorization request from client
address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
nt_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
iddleware.go:90","msg":"client
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
/handlers.go:152","msg":"unable to verify the id
token","error":"the
access token has expired"}
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
iddleware.go:90","msg":"client
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
3.6.24:60575","method":"GET","path":"/oauth/callback"}
And of course, I am not redirected back to the requested URL.
I have configured the gatekeeper as a confidential client in Keycloak,
and have added the redirect_uri http://gatekeeper:80/oauth/callback
Any hints?
Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:36 a.m.
Ok,
Sorry for asking maybe a stupid question but could it be that your KC
server and the gatekeeper have a time difference ?
On Thu, Mar 7, 2019 at 9:10 AM Ronald Demneri <ronald.demneri(a)amdtia.com> wrote:
Hi Sebastien,
I try to login to the app, I get redirected to Keycloak where I am authenticated and then
I receive the error in the Gatekeeper console. Of course, the redirection back to the app
is not working. And the fact that the token is already expired is making me scratch my
head and the reason why I posted to the userlist.
If you need some more information to help me troubleshoot and hopefully resolve it,
please let me know.
Thanks in advance,
Ronald
-----Original Message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: 07.Mar.2019 7:48 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi,
How do you generate your initial token ?
From the logs looks like it's already expired when you send it to the Gatekeeper.
On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri(a)amdtia.com> wrote:
>
> Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the
moment?
>
>
> Regards,
> Ronald
>
> -----Original Message-----
> From: Ronald Demneri <ronald.demneri(a)amdtia.com>
> Sent: 15.Feb.2019 1:59 PM
> To: Ronald Demneri <ronald.demneri(a)amdtia.com>;
> keycloak-user(a)lists.jboss.org
> Subject: RE: Keycloak gatekeeper issue
>
> I forgot to mention that I am using Keycloak version 4.5 in my test environment, so
if it is a compatibility issue, please let me know so that I upgrade Keycloak.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Ronald Demneri
> Sent: 15.Feb.2019 1:41 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Keycloak gatekeeper issue
>
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting
of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
> roles:
> - admin
>
> In the logs I receive the following upon a successful login:
>
>
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
> /middleware.go:108","msg":"no session found in request,
redirecting
> for authorization","error":"authentication session not
found"}
>
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
> middleware.go:90","msg":"client
>
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
>
53.6.24:60575","method":"GET","path":"/user/test.php"}
>
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
> /handlers.go:88","msg":"incoming authorization request from
client
>
address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
>
openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
> nt_ip":"10.253.6.24:60575"}
>
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client
>
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
>
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
>
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
> /handlers.go:152","msg":"unable to verify the id
token","error":"the
> access token has expired"}
>
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client
>
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
>
3.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in Keycloak,
> and have added the redirect_uri http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2:38 a.m.
Well, I am not sure in fact, need to check, but both vm's are running on Azure, so
probably not. I'll post back as soon as possible.
Thanks,
Ronald
-----Original Message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: 07.Mar.2019 9:37 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Ok,
Sorry for asking maybe a stupid question but could it be that your KC server and the
gatekeeper have a time difference ?
On Thu, Mar 7, 2019 at 9:10 AM Ronald Demneri <ronald.demneri(a)amdtia.com> wrote:
Hi Sebastien,
I try to login to the app, I get redirected to Keycloak where I am authenticated and then
I receive the error in the Gatekeeper console. Of course, the redirection back to the app
is not working. And the fact that the token is already expired is making me scratch my
head and the reason why I posted to the userlist.
If you need some more information to help me troubleshoot and hopefully resolve it,
please let me know.
Thanks in advance,
Ronald
-----Original Message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: 07.Mar.2019 7:48 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi,
How do you generate your initial token ?
From the logs looks like it's already expired when you send it to the Gatekeeper.
On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri(a)amdtia.com> wrote:
>
> Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the
moment?
>
>
> Regards,
> Ronald
>
> -----Original Message-----
> From: Ronald Demneri <ronald.demneri(a)amdtia.com>
> Sent: 15.Feb.2019 1:59 PM
> To: Ronald Demneri <ronald.demneri(a)amdtia.com>;
> keycloak-user(a)lists.jboss.org
> Subject: RE: Keycloak gatekeeper issue
>
> I forgot to mention that I am using Keycloak version 4.5 in my test environment, so
if it is a compatibility issue, please let me know so that I upgrade Keycloak.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Ronald Demneri
> Sent: 15.Feb.2019 1:41 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Keycloak gatekeeper issue
>
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting
of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
> roles:
> - admin
>
> In the logs I receive the following upon a successful login:
>
>
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeep
> er /middleware.go:108","msg":"no session found in request,
> redirecting for authorization","error":"authentication session
not
> found"}
>
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeepe
> r/
> middleware.go:90","msg":"client
>
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10
> .2
53.6.24:60575","method":"GET","path":"/user/test.php"}
>
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeep
> er /handlers.go:88","msg":"incoming authorization request from
> client
>
address","access_type":"","auth_url":"https://keycloak/auth/realms/m
> as
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=h
> tt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scop
> e=
> openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","cl
> openid+email+ie
> nt_ip":"10.253.6.24:60575"}
>
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
>
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
>
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeep
> er /handlers.go:152","msg":"unable to verify the id
> token","error":"the access token has expired"}
>
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.
> 25
3.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in
> Keycloak, and have added the redirect_uri
> http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2:50 a.m.
Hi Sebastien,
The servers are in sync.
Regards,
Ronald
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Ronald Demneri
Sent: 07.Mar.2019 9:39 AM
To: Sebastien Blanc <sblanc(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Well, I am not sure in fact, need to check, but both vm's are running on Azure, so
probably not. I'll post back as soon as possible.
Thanks,
Ronald
-----Original Message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: 07.Mar.2019 9:37 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Ok,
Sorry for asking maybe a stupid question but could it be that your KC server and the
gatekeeper have a time difference ?
On Thu, Mar 7, 2019 at 9:10 AM Ronald Demneri <ronald.demneri(a)amdtia.com> wrote:
Hi Sebastien,
I try to login to the app, I get redirected to Keycloak where I am authenticated and then
I receive the error in the Gatekeeper console. Of course, the redirection back to the app
is not working. And the fact that the token is already expired is making me scratch my
head and the reason why I posted to the userlist.
If you need some more information to help me troubleshoot and hopefully resolve it,
please let me know.
Thanks in advance,
Ronald
-----Original Message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: 07.Mar.2019 7:48 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi,
How do you generate your initial token ?
From the logs looks like it's already expired when you send it to the Gatekeeper.
On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri(a)amdtia.com> wrote:
>
> Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the
moment?
>
>
> Regards,
> Ronald
>
> -----Original Message-----
> From: Ronald Demneri <ronald.demneri(a)amdtia.com>
> Sent: 15.Feb.2019 1:59 PM
> To: Ronald Demneri <ronald.demneri(a)amdtia.com>;
> keycloak-user(a)lists.jboss.org
> Subject: RE: Keycloak gatekeeper issue
>
> I forgot to mention that I am using Keycloak version 4.5 in my test environment, so
if it is a compatibility issue, please let me know so that I upgrade Keycloak.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Ronald Demneri
> Sent: 15.Feb.2019 1:41 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Keycloak gatekeeper issue
>
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting
of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
> roles:
> - admin
>
> In the logs I receive the following upon a successful login:
>
>
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeep
> er /middleware.go:108","msg":"no session found in request,
> redirecting for authorization","error":"authentication session
not
> found"}
>
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeepe
> r/
> middleware.go:90","msg":"client
>
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10
> .2
53.6.24:60575","method":"GET","path":"/user/test.php"}
>
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeep
> er /handlers.go:88","msg":"incoming authorization request from
> client
>
address","access_type":"","auth_url":"https://keycloak/auth/realms/m
> as
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=h
> tt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scop
> e=
> openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","cl
> openid+email+ie
> nt_ip":"10.253.6.24:60575"}
>
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
>
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
>
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeep
> er /handlers.go:152","msg":"unable to verify the id
> token","error":"the access token has expired"}
>
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.
> 25
3.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in
> Keycloak, and have added the redirect_uri
> http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:51 p.m.
Hi Ronald, one of the possible reasons for getting this message is the
way how you configured the redirect URL on Keycloak server.
Maybe that's the case?
On 2019-02-15, Ronald Demneri wrote:
Hi all,
I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an
upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
The config file is as follows:
discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
roles:
- admin
In the logs I receive the following upon a successful login:
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no
session found in request, redirecting for
authorization","error":"authentication session not found"}
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming
authorization request from client
address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable
to verify the id token","error":"the access token has expired"}
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
And of course, I am not redirected back to the requested URL.
I have configured the gatekeeper as a confidential client in Keycloak, and have added the
redirect_uri http://gatekeeper:80/oauth/callback
Any hints?
Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
3:06 a.m.
Hello Bruno,
From my first email:
I have configured the gatekeeper as a confidential client in Keycloak,
and have added the redirect_uri http://gatekeeper:80/oauth/callback
Which of course I got from the documentation here
https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usa...
Thanks in advance,
Ronald
-----Original Message-----
From: Bruno Oliveira <bruno(a)abstractj.org>
Sent: 08.Mar.2019 12:52 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi Ronald, one of the possible reasons for getting this message is the way how you
configured the redirect URL on Keycloak server.
Maybe that's the case?
On 2019-02-15, Ronald Demneri wrote:
Hi all,
I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an
upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
The config file is as follows:
discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
roles:
- admin
In the logs I receive the following upon a successful login:
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
/middleware.go:108","msg":"no session found in request, redirecting
for authorization","error":"authentication session not found"}
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
middleware.go:90","msg":"client
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
53.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
/handlers.go:88","msg":"incoming authorization request from client
address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
nt_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
iddleware.go:90","msg":"client
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
/handlers.go:152","msg":"unable to verify the id
token","error":"the
access token has expired"}
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
iddleware.go:90","msg":"client
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
3.6.24:60575","method":"GET","path":"/oauth/callback"}
And of course, I am not redirected back to the requested URL.
I have configured the gatekeeper as a confidential client in Keycloak,
and have added the redirect_uri http://gatekeeper:80/oauth/callback
Any hints?
Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
4:34 a.m.
Yeah, but we need to think about all the possibilities. Another thing I
noticed into your configuration is the fact that your listen address,
diverges from your redirect url.
I'd suggest to isolate the problem by first trying your setup locally
to see if it works, and later move to VMs.
Like Sebi, at first glance I'd suspect about the time sync of these VMs.
But you already mentioned that's not the case.
Could you please describe better your scenario? What is running in each
VM for example? How you configured your confidential client?
On 2019-03-08, Ronald Demneri wrote:
Hello Bruno,
From my first email:
> I have configured the gatekeeper as a confidential client in Keycloak,
> and have added the redirect_uri http://gatekeeper:80/oauth/callback
Which of course I got from the documentation here
https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usa...
Thanks in advance,
Ronald
-----Original Message-----
From: Bruno Oliveira <bruno(a)abstractj.org>
Sent: 08.Mar.2019 12:52 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi Ronald, one of the possible reasons for getting this message is the way how you
configured the redirect URL on Keycloak server.
Maybe that's the case?
On 2019-02-15, Ronald Demneri wrote:
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting
of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
> roles:
> - admin
>
> In the logs I receive the following upon a successful login:
>
>
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
> /middleware.go:108","msg":"no session found in request,
redirecting
> for authorization","error":"authentication session not
found"}
>
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
> middleware.go:90","msg":"client
>
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
>
53.6.24:60575","method":"GET","path":"/user/test.php"}
>
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
> /handlers.go:88","msg":"incoming authorization request from
client
>
address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
>
openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
> nt_ip":"10.253.6.24:60575"}
>
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client
>
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
>
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
>
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
> /handlers.go:152","msg":"unable to verify the id
token","error":"the
> access token has expired"}
>
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client
>
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
>
3.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in Keycloak,
> and have added the redirect_uri http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
--
abstractj
4:49 a.m.
Hey, thanks for the quick reply.
The setup is in fact very simple, and just for some quick testing: gatekeeper is running
alongside apache/php in the vm; in fact I was trying to replace apache's
mod_auth_openidc that I used in a different vm with gatekeeper to have a look at how it
works. That is why I configured gatekeeper to listen on eth0 IP address, whereas apache is
listening on loopback (upstream-url in gatekeeper config file).
In Keycloak, the configuration is basic as well, just the client name and redirect URI.
Regards,
Ronald
-----Original Message-----
From: Bruno Oliveira <bruno(a)abstractj.org>
Sent: 08.Mar.2019 11:34 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Yeah, but we need to think about all the possibilities. Another thing I noticed into your
configuration is the fact that your listen address, diverges from your redirect url.
I'd suggest to isolate the problem by first trying your setup locally to see if it
works, and later move to VMs.
Like Sebi, at first glance I'd suspect about the time sync of these VMs.
But you already mentioned that's not the case.
Could you please describe better your scenario? What is running in each VM for example?
How you configured your confidential client?
On 2019-03-08, Ronald Demneri wrote:
Hello Bruno,
From my first email:
> I have configured the gatekeeper as a confidential client in
> Keycloak, and have added the redirect_uri
> http://gatekeeper:80/oauth/callback
Which of course I got from the documentation here
https://www.keycloak.org/docs/latest/securing_apps/index.html#example-
usage-and-configuration
Thanks in advance,
Ronald
-----Original Message-----
From: Bruno Oliveira <bruno(a)abstractj.org>
Sent: 08.Mar.2019 12:52 AM
To: Ronald Demneri <ronald.demneri(a)amdtia.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue
Hi Ronald, one of the possible reasons for getting this message is the way how you
configured the redirect URL on Keycloak server.
Maybe that's the case?
On 2019-02-15, Ronald Demneri wrote:
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting
of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true
--resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
> roles:
> - admin
>
> In the logs I receive the following upon a successful login:
>
>
{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeep
> er /middleware.go:108","msg":"no session found in request,
> redirecting for authorization","error":"authentication session
not
> found"}
>
{"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeepe
> r/
> middleware.go:90","msg":"client
>
request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10
> .2
53.6.24:60575","method":"GET","path":"/user/test.php"}
>
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeep
> er /handlers.go:88","msg":"incoming authorization request from
> client
>
address","access_type":"","auth_url":"https://keycloak/auth/realms/m
> as
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=h
> tt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scop
> e=
> openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","cl
> openid+email+ie
> nt_ip":"10.253.6.24:60575"}
>
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
>
253.6.24:60575","method":"GET","path":"/oauth/authorize"}
>
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeep
> er /handlers.go:152","msg":"unable to verify the id
> token","error":"the access token has expired"}
>
{"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper
> /m
> iddleware.go:90","msg":"client
>
request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.
> 25
3.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in
> Keycloak, and have added the redirect_uri
> http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
--
abstractj
2132
days inactive
2153
days old
11 comments
3 participants
participants (3)
-
Bruno Oliveira -
Ronald Demneri -
Sebastien Blanc