3:29 a.m.
Hi Bill,
The problem was that the proxy did not ask the user to "login", but it was
my error because I had forgotten to configure the "constraints" section in
proxy.json
The issue I am having now is that the "sign out" from another application
in the same realm, doesn't sign out the user in the proxied application
(the "session" cookie is still present) - should I configure something
special regarding this?
Here it is my working configuration now:
{
"target-url": "http://localhost:8280/",
"send-access-token": true,
"bind-address": "localhost",
"http-port": "8080",
"applications": [
{
"base-path": "/backend",
"error-page": "/error.html",
"adapter-config": {
"realm": "demo",
"resource": "proxy",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GN....",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required" : "external",
"principal-attribute": "name",
"credentials": {
"secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
}
}
,
"constraints": [
{
"pattern": "/*",
"roles-allowed": [
"user"
]
}
]
}
]
}
Thanks,
Adrian
Message: 1
Date: Fri, 20 Nov 2015 10:09:59 -0500
From: Bill Burke <bburke(a)redhat.com>
Subject: Re: [keycloak-user] Proxy configuration issue (Bill Burke)
To: keycloak-user(a)lists.jboss.org
Message-ID: <564F37C7.9010007(a)redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
That all looks right. What are the problems you are seeing? I don't
see them listed explicitly in this email thread.
On 11/20/2015 6:31 AM, Adrian Matei wrote:
Hi Bill,
Thank your for your answer, but I still don't seem to get Keycloak to
"catch" my requests against the protected application.
Let me make the scenario clear:
1. Application to be protected runs on http://localhost:*8280*/backend
2. Server proxy started and runs on http://localhost:*8080*, when I type
http://localhost:8080/backend in the browser I see the protected
application
3. Keycloak server runs on http://localhost:*8180*/auth
4. The adapter config in the "applications" section corresponds now the
proxy client I have configured in the Keycloak realm:
Client ID: proxy
Client Protocol: openid-connect
Access Type: confidential
Valid Redirect URIs: http://localhost:8080/backend/*
I am not sure how to configure the proxy Server - now I have the
following:
{
"target-url": "*http://localhost:8280/*", ???
"send-access-token": false,
"bind-address": "localhost",
"http-port": "8080", ???
"applications": [
{
"base-path": "*/backend*",
"error-page": "/error.html",
"adapter-config": {
"realm": "demo",
"resource": "*proxy*",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"auth-server-url":
"http://localhost:8180/auth",
"ssl-required" : "external",
"principal-attribute": "name",
"credentials": {
"secret":
"4ef4196d-9e86-4795-9219-dc1288b87c2b"
}
}
}
]
}
Questions:
1. The target-url I set it to the URL of the application the proxy
server is proxying - this means the server can only proxy applications
on the same URL?
2. What am I doing wrong :((((?
Thanks a bunch,
Adrian
"Can't really see the screenshot, but you have to point keycloak to the
host/port of the proxy.
On 11/19/2015 9:13 AM, Adrian Matei wrote:
> Hi everyone,
>
> I am trying to make a simple test and configure a keycloak proxy to
> protect an application running on http://localhost:8280/backend/
>on looks like the following:
>
> {
> "target-url": "http://localhost:8280/",
> "send-access-token": false,
> "bind-address": "localhost",
> "http-port": "8080",
> "applications": [
> {
> "base-path": "/backend",
> "error-page": "/error.html",
> "adapter-config": {
> "realm": "demo",
> "resource": "sandbox-backend",
> "realm-public-key":
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> "auth-server-url":
"http://localhost:8180/auth",
> "ssl-required" : "external",
> "credentials": {
> "secret":
"9323cdd6-7e0e-46ce-814f-b5ac79581395"
> }
> }
> }
> ]
> }
>
> 2.
> I've started the proxy server as specified in the documentation
"java
> -jar bin/launcher.jar proxy.json"
> I am getting an error "ERROR: UT005026: Jetty ALPN support not
found on
> boot class path, SPDY client will not be available.", but the
server
> still starts, I don't think there should be a problem
with that...
>
> 3. In the admin console (keycloak running on port 8180) I've
configured
> the backend application like the following:
>
> Could you tell me what I am doing wrong? When I put in the app's
url in
> the browser it goes directly to the application...
>
> Thanks,
> Adrian"
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:18 a.m.
On 11/23/2015 4:29 AM, Adrian Matei wrote:
Hi Bill,
The problem was that the proxy did not ask the user to "login", but it
was my error because I had forgotten to configure the "constraints"
section in proxy.json
Doh! Sorry, I should have thought of that. I haven't looked at the
Proxy in a year.
The issue I am having now is that the "sign out" from
another
application in the same realm, doesn't sign out the user in the proxied
application (the "session" cookie is still present) - should I configure
something special regarding this?
Keycloak logout is a backchannel logout, meaning it doesn't go through
the browser. The user should be logged out of the proxy and will have
to relogin again. There's just no callback back to the application.
There maybe someting I can do here. I'm not going to be able to look at
it for a couple of weeks though as I have other stuff in the queue.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3322
days inactive
3322
days old
1 comments
2 participants
participants (2)
-
Adrian Matei -
Bill Burke