10:37 a.m.
Hello
I just managed to replicate this:
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
The unfortunate soul did not get a single reply in 2015, hopefully I
have better luck. I will try to provide as much info as reuested just to
get to the bottom of this.
Setup:
- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup
config cli:
embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
run-batch
stop-embedded-server
- KC adapter jetty 9.3
- keycloak.json configured via env vars
- kc and api running in seperate docker containers on same server
{
"realm": "${env.KC_REALM}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_RESOURCE}",
"public-client": true
}
Docker ENV form my API service:
KC_BASE_URL=https://mykeycloak.domain/auth
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external
When I call a protected API this is logged by adapter:
api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
api | 2017-05-30 17:07:41 WARN RequestAuthenticator:164 - SSL is
required to authenticate. Remote address <server ip> is secure: false,
SSL required for: EXTERNAL .
Why does it try to connect via IP and not over https? I clearly
specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
tho I call it via https? I also parsed the access token and issuer is
from https, no trace of any IPs or http anywhere.
And now the worst thing: when this WARN happens, adapter returns blank
200! You'd expect at least internal server error or something along the
lines. . I lost 9 hours today blaming everything from nginx to my REST
API just to finally come down to this.
Setting SSL config to none in admin panel and in adapter env makes the
whole thing work. But this is clearly not the solution.
Hopefully some expert can shed some light on this.
Best regards, cen
4:40 p.m.
As far as I can see you're configuring SSL in top of your nginx proxy (user can only
access keycloak via this proxy).
Your internal calls (from proxy to keycloak) aren't meant to be in SSL, so why you
should bother of keycloak requiring it?
Nire Sony Xperia™ telefonotik bidalita
---- cen igorleak idatzi du ----
Hello
I just managed to replicate this:
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
The unfortunate soul did not get a single reply in 2015, hopefully I
have better luck. I will try to provide as much info as reuested just to
get to the bottom of this.
Setup:
- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup
config cli:
embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
run-batch
stop-embedded-server
- KC adapter jetty 9.3
- keycloak.json configured via env vars
- kc and api running in seperate docker containers on same server
{
"realm": "${env.KC_REALM}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_RESOURCE}",
"public-client": true
}
Docker ENV form my API service:
KC_BASE_URL=https://mykeycloak.domain/auth
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external
When I call a protected API this is logged by adapter:
api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
api | 2017-05-30 17:07:41 WARN RequestAuthenticator:164 - SSL is
required to authenticate. Remote address <server ip> is secure: false,
SSL required for: EXTERNAL .
Why does it try to connect via IP and not over https? I clearly
specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
tho I call it via https? I also parsed the access token and issuer is
from https, no trace of any IPs or http anywhere.
And now the worst thing: when this WARN happens, adapter returns blank
200! You'd expect at least internal server error or something along the
lines. . I lost 9 hours today blaming everything from nginx to my REST
API just to finally come down to this.
Setting SSL config to none in admin panel and in adapter env makes the
whole thing work. But this is clearly not the solution.
Hopefully some expert can shed some light on this.
Best regards, cen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:51 p.m.
As far as I know, when Keycloak is running in Docker, "external" means
anything coming outside of the container, so even if traffic from nginx
to Keycloak is technicaly local Keycloak does not see it that way.
Google apparently uses SSL even inside their datacenter and I think it
is a valid use, that is why require ssl=all exists in Keycloak I guess.
The bigger point of mine is that there is a bug somewhere in Keycloak
adapter that just silently fails and returns empty HTTP 200 which
doesn't make any sense at all.
The only theory so far that I have is that adapter somehow figures out
that domain points to Docker host and elects to go the direct IP route
instead of through nginx.
Amaeztu je 30. 05. 2017 ob 23:40 napisal:
As far as I can see you're configuring SSL in top of your nginx proxy
(user can only access keycloak via this proxy).
Your internal calls (from proxy to keycloak) aren't meant to be in
SSL, so why you should bother of keycloak requiring it?
Nire Sony Xperia™ telefonotik bidalita
---- cen igorleak idatzi du ----
Hello
I just managed to replicate this:
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
The unfortunate soul did not get a single reply in 2015, hopefully I
have better luck. I will try to provide as much info as reuested just to
get to the bottom of this.
Setup:
- KC 3.0.0 <tel:3.0.0>-Final behind nginx reverse proxy protected by
HTTPS, startup
config cli:
embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
run-batch
stop-embedded-server
- KC adapter jetty 9.3
- keycloak.json <http://keycloak.json> configured via env vars
- kc and api running in seperate docker containers on same server
{
"realm": "${env.KC_REALM}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_RESOURCE}",
"public-client": true
}
Docker ENV form my API service:
KC_BASE_URL=https://mykeycloak.domain/auth
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external
When I call a protected API this is logged by adapter:
api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
api | 2017-05-30 17:07:41 WARN RequestAuthenticator:164 - SSL is
required to authenticate. Remote address <server ip> is secure: false,
SSL required for: EXTERNAL .
Why does it try to connect via IP and not over https? I clearly
specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
tho I call it via https? I also parsed the access token and issuer is
from https, no trace of any IPs or http anywhere.
And now the worst thing: when this WARN happens, adapter returns blank
200! You'd expect at least internal server error or something along the
lines. . I lost 9 hours today blaming everything from nginx to my REST
API just to finally come down to this.
Setting SSL config to none in admin panel and in adapter env makes the
whole thing work. But this is clearly not the solution.
Hopefully some expert can shed some light on this.
Best regards, cen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:28 a.m.
The problem is probably down to HttpServletRequest.html#getRequestURL() not
returning the correct URL for the application itself. It looks like you've
configured this correct on the Keycloak server side, but you also need to
configure Jetty (I pressume?) to do the same when it's behind a reverse
proxy. I've got no idea how you'd do that in Jetty, but I'm sure Google
will reveal the answer to you.
On 30 May 2017 at 17:37, cen <imbacen(a)gmail.com> wrote:
Hello
I just managed to replicate this:
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
The unfortunate soul did not get a single reply in 2015, hopefully I
have better luck. I will try to provide as much info as reuested just to
get to the bottom of this.
Setup:
- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup
config cli:
embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=
default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=
default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-
binding=proxy-https:add(port=443)
run-batch
stop-embedded-server
- KC adapter jetty 9.3
- keycloak.json configured via env vars
- kc and api running in seperate docker containers on same server
{
"realm": "${env.KC_REALM}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_RESOURCE}",
"public-client": true
}
Docker ENV form my API service:
KC_BASE_URL=https://mykeycloak.domain/auth
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external
When I call a protected API this is logged by adapter:
api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
api | 2017-05-30 17:07:41 WARN RequestAuthenticator:164 - SSL is
required to authenticate. Remote address <server ip> is secure: false,
SSL required for: EXTERNAL .
Why does it try to connect via IP and not over https? I clearly
specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
tho I call it via https? I also parsed the access token and issuer is
from https, no trace of any IPs or http anywhere.
And now the worst thing: when this WARN happens, adapter returns blank
200! You'd expect at least internal server error or something along the
lines. . I lost 9 hours today blaming everything from nginx to my REST
API just to finally come down to this.
Setting SSL config to none in admin panel and in adapter env makes the
whole thing work. But this is clearly not the solution.
Hopefully some expert can shed some light on this.
Best regards, cen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:03 a.m.
I think you are on to something.
I added a ForwardedRequestCustomizer to jetty config and now
HttpServletRequest correctly recognises the scheme as https.
2017-05-31 11:55:20 DEBUG PreAuthActionsHandler:78 - adminRequest
https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
2017-05-31 11:55:20 DEBUG RequestAuthenticator:238 - User
'4004dee5-6df2-4a26-89d5-6d68c1715737' invoking
'https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5'
on client 'my-api'
2017-05-31 11:55:20 DEBUG RequestAuthenticator:76 - Bearer AUTHENTICATED
2017-05-31 11:55:20 DEBUG AuthenticatedActionsHandler:53 -
AuthenticatedActionsValve.invoke
https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
Still need to test on the main server but I think this should solve it.
This leaves the adapter returning HTTP 200 which is probably a bug.
Thanks for the tip,
cen
Stian Thorgersen je 31. 05. 2017 ob 08:28 napisal:
The problem is probably down to
HttpServletRequest.html#getRequestURL() not returning the correct URL
for the application itself. It looks like you've configured this
correct on the Keycloak server side, but you also need to configure
Jetty (I pressume?) to do the same when it's behind a reverse proxy.
I've got no idea how you'd do that in Jetty, but I'm sure Google will
reveal the answer to you.
On 30 May 2017 at 17:37, cen <imbacen(a)gmail.com
<mailto:imbacen@gmail.com>> wrote:
Hello
I just managed to replicate this:
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
<http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html>
The unfortunate soul did not get a single reply in 2015, hopefully I
have better luck. I will try to provide as much info as reuested
just to
get to the bottom of this.
Setup:
- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS,
startup
config cli:
embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
run-batch
stop-embedded-server
- KC adapter jetty 9.3
- keycloak.json configured via env vars
- kc and api running in seperate docker containers on same server
{
"realm": "${env.KC_REALM}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_RESOURCE}",
"public-client": true
}
Docker ENV form my API service:
KC_BASE_URL=https://mykeycloak.domain/auth
<https://mykeycloak.domain/auth>
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external
When I call a protected API this is logged by adapter:
api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 -
adminRequest
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
<http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5>
api | 2017-05-30 17:07:41 WARN RequestAuthenticator:164 - SSL is
required to authenticate. Remote address <server ip> is secure: false,
SSL required for: EXTERNAL .
Why does it try to connect via IP and not over https? I clearly
specified KC_BASE_URL as HTTPS. And why is REST call logged as
http even
tho I call it via https? I also parsed the access token and issuer is
from https, no trace of any IPs or http anywhere.
And now the worst thing: when this WARN happens, adapter returns blank
200! You'd expect at least internal server error or something
along the
lines. . I lost 9 hours today blaming everything from nginx to my REST
API just to finally come down to this.
Setting SSL config to none in admin panel and in adapter env makes the
whole thing work. But this is clearly not the solution.
Hopefully some expert can shed some light on this.
Best regards, cen
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
2766
days inactive
2767
days old
4 comments
3 participants
participants (3)
-
Amaeztu -
cen -
Stian Thorgersen