[keycloak-user] Proxy configuration issue (Bill Burke)
Adrian Matei
adrianmatei at gmail.com
Mon Nov 23 04:29:05 EST 2015
Hi Bill,
The problem was that the proxy did not ask the user to "login", but it was
my error because I had forgotten to configure the "constraints" section in
proxy.json
The issue I am having now is that the "sign out" from another application
in the same realm, doesn't sign out the user in the proxied application
(the "session" cookie is still present) - should I configure something
special regarding this?
Here it is my working configuration now:
{
"target-url": "http://localhost:8280/",
"send-access-token": true,
"bind-address": "localhost",
"http-port": "8080",
"applications": [
{
"base-path": "/backend",
"error-page": "/error.html",
"adapter-config": {
"realm": "demo",
"resource": "proxy",
"realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GN....",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required" : "external",
"principal-attribute": "name",
"credentials": {
"secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
}
}
,
"constraints": [
{
"pattern": "/*",
"roles-allowed": [
"user"
]
}
]
}
]
}
Thanks,
Adrian
Message: 1
Date: Fri, 20 Nov 2015 10:09:59 -0500
From: Bill Burke <bburke at redhat.com>
Subject: Re: [keycloak-user] Proxy configuration issue (Bill Burke)
To: keycloak-user at lists.jboss.org
Message-ID: <564F37C7.9010007 at redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
That all looks right. What are the problems you are seeing? I don't
see them listed explicitly in this email thread.
On 11/20/2015 6:31 AM, Adrian Matei wrote:
> Hi Bill,
>
> Thank your for your answer, but I still don't seem to get Keycloak to
> "catch" my requests against the protected application.
> Let me make the scenario clear:
>
> 1. Application to be protected runs on http://localhost:*8280*/backend
>
> 2. Server proxy started and runs on http://localhost:*8080*, when I type
> http://localhost:8080/backend in the browser I see the protected
application
>
> 3. Keycloak server runs on http://localhost:*8180*/auth
>
> 4. The adapter config in the "applications" section corresponds now the
> proxy client I have configured in the Keycloak realm:
>
> Client ID: proxy
>
> Client Protocol: openid-connect
> Access Type: confidential
> Valid Redirect URIs: http://localhost:8080/backend/*
>
>
> I am not sure how to configure the proxy Server - now I have the
following:
> {
> "target-url": "*http://localhost:8280/*", ???
> "send-access-token": false,
> "bind-address": "localhost",
> "http-port": "8080", ???
> "applications": [
> {
> "base-path": "*/backend*",
> "error-page": "/error.html",
> "adapter-config": {
> "realm": "demo",
> "resource": "*proxy*",
> "realm-public-key":
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> "auth-server-url": "http://localhost:8180/auth",
> "ssl-required" : "external",
> "principal-attribute": "name",
> "credentials": {
> "secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
> }
> }
> }
> ]
> }
> Questions:
> 1. The target-url I set it to the URL of the application the proxy
> server is proxying - this means the server can only proxy applications
> on the same URL?
> 2. What am I doing wrong :((((?
>
>
> Thanks a bunch,
> Adrian
>
> "Can't really see the screenshot, but you have to point keycloak to the
> host/port of the proxy.
>
> On 11/19/2015 9:13 AM, Adrian Matei wrote:
> > Hi everyone,
> >
> > I am trying to make a simple test and configure a keycloak proxy to
> > protect an application running on http://localhost:8280/backend/
>
> >on looks like the following:
> >
> > {
> > "target-url": "http://localhost:8280/",
> > "send-access-token": false,
> > "bind-address": "localhost",
> > "http-port": "8080",
> > "applications": [
> > {
> > "base-path": "/backend",
> > "error-page": "/error.html",
> > "adapter-config": {
> > "realm": "demo",
> > "resource": "sandbox-backend",
> > "realm-public-key":
> >
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> > "auth-server-url": "http://localhost:8180/auth",
> > "ssl-required" : "external",
> > "credentials": {
> > "secret":
"9323cdd6-7e0e-46ce-814f-b5ac79581395"
> > }
> > }
> > }
> > ]
> > }
> >
> > 2.
> > I've started the proxy server as specified in the documentation
"java
> > -jar bin/launcher.jar proxy.json"
> > I am getting an error "ERROR: UT005026: Jetty ALPN support not
> found on
> > boot class path, SPDY client will not be available.", but the
server
> > still starts, I don't think there should be a problem with that...
> >
> > 3. In the admin console (keycloak running on port 8180) I've
> configured
> > the backend application like the following:
> >
> > Could you tell me what I am doing wrong? When I put in the app's
> url in
> > the browser it goes directly to the application...
> >
> > Thanks,
> > Adrian"
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/50d45b0a/attachment-0001.html
More information about the keycloak-user
mailing list