[keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS.
Michael Furman
michael_furman at hotmail.com
Tue Dec 13 07:13:12 EST 2016
HI Sebastien,
The problem is not related to HTTPS but to the reverse proxy
When I access to SpringSecurity adapter RP over HTTP but behind the Apache HTTPD reverse proxy (the client configuration in IDP configured also HTTP) the redirect_uri is replaced to localhost:
http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-1f99d2278836&login=true&scope=openid
Then, I get the error
WE'RE SORRY ...
Invalid parameter: redirect_uri
What should I configure to allow to work with proxy?
Any help will be appreciated.
Best regards,
Michael
________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
Sent: Tuesday, December 13, 2016 1:17 PM
To: Sebastien Blanc
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS.
Hi,
Important clarification:
The HTTPS handshake is by Apache httpd server that is also reverse proxy for Tomcat.
Tomcat is located on the same ip.
SpringSecurity RP is deployed in Tomcat.
Best regards
On Dec 13, 2016 12:44 PM, Michael Furman <michael_furman at hotmail.com> wrote:
Example 2:
SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS)
IDP is over HTTP
Example 3:
SpringSecurity adapter RP is over HTTP (the client configuration in IDP configured also HTTP)
IDP is over HTTP
BTW,
Example 1:
SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS)
IDP is over HTTPS
________________________________
From: Sebastien Blanc <sblanc at redhat.com>
Sent: Tuesday, December 13, 2016 12:23 PM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS.
What is the difference between your example 2 and example 3 ?
On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
I try to access from SpringSecurity adapter over HTTPS without success.
When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost:
https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084&login=true&scope=openid
Then I get this error in UI:
WE'RE SORRY ...
Invalid parameter: redirect_uri
Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost:
http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99&login=true&scope=openid
Same error in UI:
WE'RE SORRY ...
Invalid parameter: redirect_uri
Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works:
http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&login=true&scope=openid
Finally I can see the login page.
What wrong in my configurations?
Any help will be appreciated.
Best regards,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
More information about the keycloak-user
mailing list