11:59 p.m.
Hi
I'm trying to call the /admin/* API endpoints through a reverse proxy. The access
token is granted to a JavaScript application, and the issuer of the token is therefore the
reverse proxy. (This is actually a regular app that just happens to forward/create some
requests to Keycloak.)
The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-*
headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
The request is authenticated in Keycloak with this line in AuthenticationManager.java:
AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(),
Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), checkActive, checkTokenType);
This assumes that the "configured issuer" of a token is the JAX-RS
UriInfo#getBaseUri() and fails with:
2016-05-21 23:52:37,109 DEBUG [org.keycloak.services] (default task-16) Failed to verify
identity token: org.keycloak.common.VerificationException: Token audience doesn't
match domain. Token issuer is http://localhost:8080/auth/realms/master, but URL from
configuration is http://192.168.99.100:8081/auth/realms/master
The UriInfo#getBaseUri() does not take the X-Forwarded-* headers into account.
How can I call the API with a token obtained through a reverse proxy?
Thanks,
Christian
12:10 a.m.
I think this is a wildfly issue:
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
set the proxy-address-forwarding="true" for the http-listener.
On 5/21/16 5:59 PM, Christian Bauer wrote:
Hi
I'm trying to call the /admin/* API endpoints through a reverse proxy. The access
token is granted to a JavaScript application, and the issuer of the token is therefore the
reverse proxy. (This is actually a regular app that just happens to forward/create some
requests to Keycloak.)
The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-*
headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
The request is authenticated in Keycloak with this line in AuthenticationManager.java:
AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(),
Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), checkActive, checkTokenType);
This assumes that the "configured issuer" of a token is the JAX-RS
UriInfo#getBaseUri() and fails with:
2016-05-21 23:52:37,109 DEBUG [org.keycloak.services] (default task-16) Failed to verify
identity token: org.keycloak.common.VerificationException: Token audience doesn't
match domain. Token issuer is http://localhost:8080/auth/realms/master, but URL from
configuration is http://192.168.99.100:8081/auth/realms/master
The UriInfo#getBaseUri() does not take the X-Forwarded-* headers into account.
How can I call the API with a token obtained through a reverse proxy?
Thanks,
Christian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:18 a.m.
Already done. I don't think that affects HttpServletRequest#getRequestURL(), which is
what Resteasy is using to populate UriInfo#getBaseUri()?
set the proxy-address-forwarding="true" for the
http-listener.
>
> The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-*
headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
10:10 a.m.
A workaround/solution is to set the Host header on the proxy.
This is equivalent to setting ProxyPreserveHost On if you'd be using Apache mod_proxy.
It requires some ugly hacks however customizing this header with my
Resteasy/ApacheHttpClient proxy.
On 22.05.2016, at 00:18, Christian Bauer
<christian.bauer(a)gmail.com> wrote:
Already done. I don't think that affects HttpServletRequest#getRequestURL(), which is
what Resteasy is using to populate UriInfo#getBaseUri()?
> set the proxy-address-forwarding="true" for the http-listener.
>
>>
>> The proxy makes a call to Keycloak with a Bearer token and the correct
X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:16 a.m.
Take a look at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst....
proxy-address-forwarding=true
does set HttpServletRequest#getRequestURL(), but only if http is used. If
you're using ajp then you need to use ProxyPeerAddressHandler.
On 22 May 2016 at 10:10, Christian Bauer <christian.bauer(a)gmail.com> wrote:
A workaround/solution is to set the Host header on the proxy.
This is equivalent to setting ProxyPreserveHost On if you'd be using
Apache mod_proxy. It requires some ugly hacks however customizing this
header with my Resteasy/ApacheHttpClient proxy.
> On 22.05.2016, at 00:18, Christian Bauer <christian.bauer(a)gmail.com>
wrote:
>
> Already done. I don't think that affects
HttpServletRequest#getRequestURL(), which is what Resteasy is using to
populate UriInfo#getBaseUri()?
>
>> set the proxy-address-forwarding="true" for the http-listener.
>>
>>>
>>> The proxy makes a call to Keycloak with a Bearer token and the correct
X-Forwarded-* headers. Keycloak/Wildfly is configured with
proxy-address-forwarding=true.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:04 a.m.
@WebServlet(name = "test", urlPatterns = "/test")
public class TestServlet extends javax.servlet.http.HttpServlet {
@Override
protected void doGet(HttpServletRequest req,
HttpServletResponse resp) throws ServletException, IOException {
System.err.println("REQUEST URL : " + req.getRequestURL());
System.err.println("REMOTE HOST: " + req.getRemoteHost());
Enumeration<String> headers = req.getHeaderNames();
while (headers.hasMoreElements()) {
String header = headers.nextElement();
System.err.println(header + ": " + req.getHeader(header));
}
}
}
/wildfly-10.0.0.Final/standalone/configuration$ grep http-listener standalone.xml
<http-listener name="default"
proxy-address-forwarding="true" socket-binding="http"
redirect-socket="https"/>
/wildfly-10.0.0.Final/standalone/configuration$ curl -v --header "X-Forwarded-For:
10.0.0.1:8888" --header "X-Forwarded-Proto: http"
http://localhost:8080/proxytest_war_exploded/test
08:47:32,511 ERROR [stderr] (default task-2) REQUEST URL :
http://localhost:8080/proxytest_war_exploded/test
08:47:32,511 ERROR [stderr] (default task-2) REMOTE HOST: 10.0.0.1:8888
08:47:32,511 ERROR [stderr] (default task-2) Accept: */*
08:47:32,511 ERROR [stderr] (default task-2) X-Forwarded-Proto: http
08:47:32,512 ERROR [stderr] (default task-2) User-Agent: curl/7.43.0
08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For: 10.0.0.1
08:47:32,512 ERROR [stderr] (default task-2) Host: localhost:8080
I've also looked at the code of Undertow/Wildfly and as far as I can tell, the
proxy-address-forwarding affects only HttpServletRequest#getRemoteHost() etc. values.
On 23.05.2016, at 08:16, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Take a look at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
<http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...;.
proxy-address-forwarding=true does set HttpServletRequest#getRequestURL(), but only if
http is used. If you're using ajp then you need to use ProxyPeerAddressHandler.
On 22 May 2016 at 10:10, Christian Bauer <christian.bauer(a)gmail.com
<mailto:christian.bauer@gmail.com>> wrote:
A workaround/solution is to set the Host header on the proxy.
This is equivalent to setting ProxyPreserveHost On if you'd be using Apache
mod_proxy. It requires some ugly hacks however customizing this header with my
Resteasy/ApacheHttpClient proxy.
> On 22.05.2016, at 00:18, Christian Bauer <christian.bauer(a)gmail.com
<mailto:christian.bauer@gmail.com>> wrote:
>
> Already done. I don't think that affects HttpServletRequest#getRequestURL(),
which is what Resteasy is using to populate UriInfo#getBaseUri()?
>
>> set the proxy-address-forwarding="true" for the http-listener.
>>
>>>
>>> The proxy makes a call to Keycloak with a Bearer token and the correct
X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
4:14 p.m.
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
As Stian said, ProxyPeerAddressHandler? See above.
On 5/23/16 3:16 AM, Christian Bauer wrote:
> 08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For:
10.0.0.1
Copy/paste error, the actual line is:
08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For:
10.0.0.1:8888
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:47 p.m.
This handler sets ServletRequest#getRemoteHost() etc. values in Undertow. In Wildfly code
this handler is actually enabled with the listener attribute
proxy-address-forwarding=true:
https://github.com/wildfly/wildfly/blob/aaaeb2a13667353db2b6955b9bcdba434...
<https://github.com/wildfly/wildfly/blob/aaaeb2a13667353db2b6955b9bcdba434...
What's the difference between enabling the listener attribute and adding the filter
manually?
None of this is having any effect on getRequestURL(). There are two ways I see how this
host is set: From parsing the HTTP request line or from the Host header.
Whatever proxy testing you do probably works because your proxy passes through the
original Host header. Preserving the Host header is the default in haproxy but not
mod_proxy.
On 23.05.2016, at 16:14, Bill Burke <bburke(a)redhat.com> wrote:
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
<https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
As Stian said, ProxyPeerAddressHandler? See above.
On 5/23/16 3:16 AM, Christian Bauer wrote:
>> 08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For: 10.0.0.1
>
> Copy/paste error, the actual line is:
>
> 08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For: 10.0.0.1:8888
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:50 a.m.
The attribute only works for HTTP connector, not for AJP. For AJP you have
to manually add it.
The Host header is required though. Ho would Undertow else figure out the
original request URL? I can't see anything we can do on our end for this,
besides documenting the fact that the original Host header has to be
preserved.
On 23 May 2016 at 16:47, Christian Bauer <christian.bauer(a)gmail.com> wrote:
This handler sets ServletRequest#getRemoteHost() etc. values in
Undertow.
In Wildfly code this handler is actually enabled with the listener
attribute proxy-address-forwarding=true:
https://github.com/wildfly/wildfly/blob/aaaeb2a13667353db2b6955b9bcdba434...
What's the difference between enabling the listener attribute and adding
the filter manually?
None of this is having any effect on getRequestURL(). There are two ways I
see how this host is set: From parsing the HTTP request line or from the
Host header.
Whatever proxy testing you do probably works because your proxy passes
through the original Host header. Preserving the Host header is the default
in haproxy but not mod_proxy.
On 23.05.2016, at 16:14, Bill Burke <bburke(a)redhat.com> wrote:
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
As Stian said, ProxyPeerAddressHandler? See above.
On 5/23/16 3:16 AM, Christian Bauer wrote:
08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For: 10.0.0.1
Copy/paste error, the actual line is:
08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For:
10.0.0.1:8888
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:55 a.m.
Created https://issues.jboss.org/browse/KEYCLOAK-3029
On 24 May 2016 at 08:50, Stian Thorgersen <sthorger(a)redhat.com> wrote:
The attribute only works for HTTP connector, not for AJP. For AJP you
have
to manually add it.
The Host header is required though. Ho would Undertow else figure out the
original request URL? I can't see anything we can do on our end for this,
besides documenting the fact that the original Host header has to be
preserved.
On 23 May 2016 at 16:47, Christian Bauer <christian.bauer(a)gmail.com>
wrote:
> This handler sets ServletRequest#getRemoteHost() etc. values in Undertow.
> In Wildfly code this handler is actually enabled with the listener
> attribute proxy-address-forwarding=true:
>
>
>
https://github.com/wildfly/wildfly/blob/aaaeb2a13667353db2b6955b9bcdba434...
>
> What's the difference between enabling the listener attribute and adding
> the filter manually?
>
> None of this is having any effect on getRequestURL(). There are two ways
> I see how this host is set: From parsing the HTTP request line or from the
> Host header.
>
> Whatever proxy testing you do probably works because your proxy passes
> through the original Host header. Preserving the Host header is the default
> in haproxy but not mod_proxy.
>
> On 23.05.2016, at 16:14, Bill Burke <bburke(a)redhat.com> wrote:
>
>
>
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
>
> As Stian said, ProxyPeerAddressHandler? See above.
>
>
> On 5/23/16 3:16 AM, Christian Bauer wrote:
>
> 08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For: 10.0.0.1
>
>
> Copy/paste error, the actual line is:
>
> 08:47:32,512 ERROR [stderr] (default task-2) X-Forwarded-For:
> 10.0.0.1:8888
>
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2888
days inactive
2891
days old
10 comments
3 participants
participants (3)
-
Bill Burke -
Christian Bauer -
Stian Thorgersen