2:55 p.m.
Hello everyone,
I have configured a web application, that is running in Tomcat, to
authenticate users with Keycloak. Everything is running fine if I
deploy the app to my local Tomcat, even when using the remote Keycloak
instance.
However, when I deploy the app to another Tomcat running behind an
Apache HTTP Server, the following happens:
* When I navigate to https://my-domain.tld/app I get redirected to the
Keycloak login
* After I log in successfully, Keycloak redirects me to
<IP>:<PORT>/app of the Tomcat
* The Tomcat answers with HTTP status 400
My keycloak.json looks like this:
{
"realm": "cdb_test",
"auth-server-url": "https://keycloak-server.tld/auth",
"ssl-required": "external",
"resource": "cdb_test",
"public-client": true
}
The VHost is configured like this:
ProxyPass /app http://<IP>:<PORT>/app/
ProxyPassReverse /app http://<IP>:<PORT>/app/
ProxyPassReverseCookiePath / /app/
I turned on debug logging for the Keycloak Tomcat adapter, see attachment.
Any advice?
Thanks in advance
Timo
9:40 a.m.
Hello Timo,
Perhaps enable tomcat access logging [1] can help you to debug this issue.
You can compare the request with mod_proxy with the one without.
Out of curiosity: why do you need to set ProxyPassReverseCookiePath / /app/
?
Hope it helps,
Luis
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging
El dom., 9 dic. 2018 a las 10:22, Timo Kockert (<timo.kockert(a)codecentric.de>)
escribió:
Hello everyone,
I have configured a web application, that is running in Tomcat, to
authenticate users with Keycloak. Everything is running fine if I
deploy the app to my local Tomcat, even when using the remote Keycloak
instance.
However, when I deploy the app to another Tomcat running behind an
Apache HTTP Server, the following happens:
* When I navigate to https://my-domain.tld/app I get redirected to the
Keycloak login
* After I log in successfully, Keycloak redirects me to
<IP>:<PORT>/app of the Tomcat
* The Tomcat answers with HTTP status 400
My keycloak.json looks like this:
{
"realm": "cdb_test",
"auth-server-url": "https://keycloak-server.tld/auth",
"ssl-required": "external",
"resource": "cdb_test",
"public-client": true
}
The VHost is configured like this:
ProxyPass /app http://<IP>:<PORT>/app/
ProxyPassReverse /app http://<IP>:<PORT>/app/
ProxyPassReverseCookiePath / /app/
I turned on debug logging for the Keycloak Tomcat adapter, see attachment.
Any advice?
Thanks in advance
Timo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
12:35 p.m.
Hello Luis,
thanks for your reply!
I was able to get a step further... I think.
I added "ProxyPreserveHost On" to the VHost configuration. Now
Keycloak redirects me to http://my-domain.tld/app (http without s)
after the login. Something (I haven't figured out wether it's the HTTP
Server or the Tomcat) redirects from HTTP to HTTPS after which the
Tomcat returns 403 and prints the following message to the log:
{"error":"invalid_grant","error_description":"Incorrect
redirect_uri"}
I guess the problem is the redirect to HTTP instead of HTTPS? I tried adding
RequestHeader set X-Forwarded-Proto "https"
to the VHost configuration but that didn't help. Any further advice?
Btw, I didn't write the inital VHost configuration,
"ProxyPassReverseCookiePath" was there when I started working on it.
Probably from some template.
Thanks in advance
Timo
Am Mo., 10. Dez. 2018 um 09:42 Uhr schrieb Luis Rodríguez Fernández
<uo67113(a)gmail.com>:
Hello Timo,
Perhaps enable tomcat access logging [1] can help you to debug this issue.
You can compare the request with mod_proxy with the one without.
Out of curiosity: why do you need to set ProxyPassReverseCookiePath / /app/
?
Hope it helps,
Luis
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging
El dom., 9 dic. 2018 a las 10:22, Timo Kockert (<timo.kockert(a)codecentric.de>)
escribió:
> Hello everyone,
>
> I have configured a web application, that is running in Tomcat, to
> authenticate users with Keycloak. Everything is running fine if I
> deploy the app to my local Tomcat, even when using the remote Keycloak
> instance.
>
> However, when I deploy the app to another Tomcat running behind an
> Apache HTTP Server, the following happens:
>
> * When I navigate to https://my-domain.tld/app I get redirected to the
> Keycloak login
> * After I log in successfully, Keycloak redirects me to
> <IP>:<PORT>/app of the Tomcat
> * The Tomcat answers with HTTP status 400
>
> My keycloak.json looks like this:
>
> {
> "realm": "cdb_test",
> "auth-server-url": "https://keycloak-server.tld/auth",
> "ssl-required": "external",
> "resource": "cdb_test",
> "public-client": true
> }
>
> The VHost is configured like this:
>
> ProxyPass /app http://<IP>:<PORT>/app/
> ProxyPassReverse /app http://<IP>:<PORT>/app/
> ProxyPassReverseCookiePath / /app/
>
> I turned on debug logging for the Keycloak Tomcat adapter, see attachment.
>
> Any advice?
>
> Thanks in advance
> Timo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Timo Kockert | Senior Software Engineer
codecentric AG | dock14 | Am Mittelhafen 14 | 48155 Münster | Deutschland
mobil: +49 151 1086 7040
www.codecentric.de | blog.codecentric.de | www.meettheexperts.de |
www.more4fi.de
Sitz der Gesellschaft: Solingen | HRB 25917| Amtsgericht Wuppertal
Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz
Diese E-Mail einschließlich evtl. beigefügter Dateien enthält
vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und löschen Sie diese
E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte
Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die
unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
4:16 p.m.
Hello Timo,
You have a couple of options:
- Use https in your apache mod_proxy configuration (ProxyPass /app https://...)
This implies to have the SSLProxyEngine on with
the SSLProxyCACertificateFile poiting to your CA certificate See the
mod_ssl docs for more details on this [1] For a PROD installation that
would be my preferred option
- For testing quickly you can always try to cheat keycloak adding
scheme="https" to your HTTP connector in tomcat [2] Me I do this for
cheating the SAML adapter ;) [3]
Hope it helps,
Luis
[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyengine
[2] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
[3]
https://github.com/keycloak/keycloak/blob/79774d2f0730593d504072aaabb1b87...
El lun., 10 dic. 2018 a las 12:39, Timo Kockert (<
timo.kockert(a)codecentric.de>) escribió:
Hello Luis,
thanks for your reply!
I was able to get a step further... I think.
I added "ProxyPreserveHost On" to the VHost configuration. Now
Keycloak redirects me to http://my-domain.tld/app (http without s)
after the login. Something (I haven't figured out wether it's the HTTP
Server or the Tomcat) redirects from HTTP to HTTPS after which the
Tomcat returns 403 and prints the following message to the log:
{"error":"invalid_grant","error_description":"Incorrect
redirect_uri"}
I guess the problem is the redirect to HTTP instead of HTTPS? I tried
adding
RequestHeader set X-Forwarded-Proto "https"
to the VHost configuration but that didn't help. Any further advice?
Btw, I didn't write the inital VHost configuration,
"ProxyPassReverseCookiePath" was there when I started working on it.
Probably from some template.
Thanks in advance
Timo
Am Mo., 10. Dez. 2018 um 09:42 Uhr schrieb Luis Rodríguez Fernández
<uo67113(a)gmail.com>:
>
> Hello Timo,
>
> Perhaps enable tomcat access logging [1] can help you to debug this
issue.
> You can compare the request with mod_proxy with the one without.
>
> Out of curiosity: why do you need to set ProxyPassReverseCookiePath /
/app/
> ?
>
> Hope it helps,
>
> Luis
>
> [1]
>
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging
>
> El dom., 9 dic. 2018 a las 10:22, Timo Kockert (<
timo.kockert(a)codecentric.de>)
> escribió:
>
> > Hello everyone,
> >
> > I have configured a web application, that is running in Tomcat, to
> > authenticate users with Keycloak. Everything is running fine if I
> > deploy the app to my local Tomcat, even when using the remote Keycloak
> > instance.
> >
> > However, when I deploy the app to another Tomcat running behind an
> > Apache HTTP Server, the following happens:
> >
> > * When I navigate to https://my-domain.tld/app I get redirected to the
> > Keycloak login
> > * After I log in successfully, Keycloak redirects me to
> > <IP>:<PORT>/app of the Tomcat
> > * The Tomcat answers with HTTP status 400
> >
> > My keycloak.json looks like this:
> >
> > {
> > "realm": "cdb_test",
> > "auth-server-url": "https://keycloak-server.tld/auth",
> > "ssl-required": "external",
> > "resource": "cdb_test",
> > "public-client": true
> > }
> >
> > The VHost is configured like this:
> >
> > ProxyPass /app http://<IP>:<PORT>/app/
> > ProxyPassReverse /app http://<IP>:<PORT>/app/
> > ProxyPassReverseCookiePath / /app/
> >
> > I turned on debug logging for the Keycloak Tomcat adapter, see
attachment.
> >
> > Any advice?
> >
> > Thanks in advance
> > Timo
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Timo Kockert | Senior Software Engineer
codecentric AG | dock14 | Am Mittelhafen 14 | 48155 Münster | Deutschland
mobil: +49 151 1086 7040
www.codecentric.de | blog.codecentric.de | www.meettheexperts.de |
www.more4fi.de
Sitz der Gesellschaft: Solingen | HRB 25917| Amtsgericht Wuppertal
Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz
Diese E-Mail einschließlich evtl. beigefügter Dateien enthält
vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und löschen Sie diese
E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte
Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die
unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
11:42 p.m.
Timo,
To secure a Tomcat webapp that is behind an SSL-terminating reverse proxy, you basically
need a checklist of three items:
- make sure that your reverse proxy forwards all the necessary info to the backend,
including hostname and protocol;
- in Tomcat, configure proxy (host and "https" scheme) on a connector level;
- reflect the changes in the client config in Keycloak (use https:// and your proxy URL).
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-12-07 at 14:55 +0100, Timo Kockert wrote:
Hello everyone,
I have configured a web application, that is running in Tomcat, to
authenticate users with Keycloak. Everything is running fine if I
deploy the app to my local Tomcat, even when using the remote Keycloak
instance.
However, when I deploy the app to another Tomcat running behind an
Apache HTTP Server, the following happens:
> * When I navigate to https://my-domain.tld/app I get redirected to the
Keycloak login
* After I log in successfully, Keycloak redirects me to
<IP>:<PORT>/app of the Tomcat
* The Tomcat answers with HTTP status 400
My keycloak.json looks like this:
{
"realm": "cdb_test",
> "auth-server-url": "https://keycloak-server.tld/auth",
"ssl-required": "external",
"resource": "cdb_test",
"public-client": true
}
The VHost is configured like this:
ProxyPass /app http://<IP>:<PORT>/app/
ProxyPassReverse /app http://<IP>:<PORT>/app/
ProxyPassReverseCookiePath / /app/
I turned on debug logging for the Keycloak Tomcat adapter, see attachment.
Any advice?
Thanks in advance
Timo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1972
days inactive
1975
days old
4 comments
3 participants
participants (3)
-
Dmitry Telegin -
Luis Rodríguez Fernández -
Timo Kockert