[keycloak-user] How to work with SpringSecurity adapter behind HTTP proxy?

Sebastien Blanc sblanc at redhat.com
Thu Dec 15 05:45:29 EST 2016 

Hi Michael !

Before we do any code change , could you check if your answer is not in the
following thread ?
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006287.html
Looks like SpringSec should handle correctly the x-forwarded-proto and host
headers ...



On Thu, Dec 15, 2016 at 9:10 AM, Michael Furman <michael_furman at hotmail.com>
wrote:

> HI Sebastien,
>
> (I have changed the subject since the root cause of the problem is
> different).
>
> I have debugged the code and I have found the following.
>
> Please look at getRedirectUri of org.keycloak.adapters.
> OAuthRequestAuthenticator:
>
> It just takes the request URI and creates the redirect URI string:
>
>     protected String getRedirectUri(String state) {
>
>         String url = this.getRequestUrl();
>
>
>
> Please note that when you work behind getRequestUrl() will always be
> localhost and therefore I think SpringSecurity adapter can not work behind
> HTTP proxy.
>
>
>
> How can I change the code in the minimal way it will support the HTTP
> proxy?
>
> Best regards,
>
>    Michael
>
>
>
> ------------------------------
> *From:* Michael Furman <michael_furman at hotmail.com>
> *Sent:* Tuesday, December 13, 2016 2:25 PM
> *To:* Sebastien Blanc
> *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP
> from SpringSecurity adapter over HTTPS.
>
>
> Thanks Sebastien,
>
> I see the link but supposed it is related only to Keycloak IDP.
>
> Is it also relevant to SpringSecurity adapter?
>
> Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers?
>
> Best regards,
>    Michael
>
>
>
> ------------------------------
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* Tuesday, December 13, 2016 2:19 PM
> *To:* Michael Furman
> *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP
> from SpringSecurity adapter over HTTPS.
>
> TBH I have not that much experience with configuring a proxy but :
> - Have you looked at https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/topics/clustering/load-balancer.html (it also cover
> proxy configuration)
> - Search the user list, I see often question around this maybe you can
> find your answer there)
>
>
>
> On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman <
> michael_furman at hotmail.com> wrote:
>
>> HI Sebastien,
>>
>> The problem is not related to HTTPS but to the reverse proxy
>>
>> When I access to SpringSecurity adapter RP over HTTP but behind the
>> Apache HTTPD reverse proxy (the client configuration in IDP configured also
>> HTTP) the redirect_uri is replaced to localhost:
>>
>> http://192.168.110.2:9080/auth/realms/master/protocol/openid
>> -connect/auth?response_type=code&client_id=testclient&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%
>> 2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-1f99d2278836
>> &login=true&scope=openid
>>
>> Then, I get the error
>>
>>
>>
>> WE'RE SORRY ...
>>
>> Invalid parameter: redirect_uri
>>
>>
>>
>> What should I configure to allow to work with proxy?
>>
>> Any help will be appreciated.
>>
>> Best regards,
>>
>>    Michael
>>
>>
>> ------------------------------
>> *From:* keycloak-user-bounces at lists.jboss.org <
>> keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman <
>> michael_furman at hotmail.com>
>> *Sent:* Tuesday, December 13, 2016 1:17 PM
>> *To:* Sebastien Blanc
>>
>> *Cc:* keycloak-user at lists.jboss.org
>> *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP
>> from SpringSecurity adapter over HTTPS.
>>
>> Hi,
>> Important clarification:
>> The HTTPS handshake is by Apache httpd server that is also reverse proxy
>> for Tomcat.
>>
>>
>> Tomcat is located on the same ip.
>>
>> SpringSecurity RP is deployed in Tomcat.
>>
>> Best regards
>>
>>
>>
>>
>> On Dec 13, 2016 12:44 PM, Michael Furman <michael_furman at hotmail.com>
>> wrote:
>>
>> Example 2:
>>
>> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
>> configured also HTTPS)
>>
>> IDP is over HTTP
>>
>>
>>
>> Example 3:
>>
>> SpringSecurity adapter RP is over HTTP (the client configuration in IDP
>> configured also HTTP)
>>
>> IDP is over HTTP
>>
>>
>>
>> BTW,
>>
>> Example 1:
>>
>> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
>> configured also HTTPS)
>>
>> IDP is over HTTPS
>>
>>
>>
>> ________________________________
>> From: Sebastien Blanc <sblanc at redhat.com>
>> Sent: Tuesday, December 13, 2016 12:23 PM
>> To: Michael Furman
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Very strange behavior when access to IDP
>> from SpringSecurity adapter over HTTPS.
>>
>> What is the difference between your example 2 and example 3 ?
>>
>> On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman <
>> michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
>> Hi all,
>> I try to access from SpringSecurity adapter over HTTPS without success.
>> When I try to access to IDP over HTTPS the redirect_uri is replaced to
>> localhost:
>>
>> https://192.168.110.2:8443/auth/realms/master/protocol/openi
>> d-connect/auth?response_type=code&client_id=testclient&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%
>> 2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084
>> &login=true&scope=openid
>>
>> Then I get this error in UI:
>> WE'RE SORRY ...
>> Invalid parameter: redirect_uri
>>
>> Similar, when I try to access to IDP over HTTP, the redirect_uri is
>> replaced to localhost:
>> http://192.168.110.2:9080/auth/realms/master/protocol/openid
>> -connect/auth?response_type=code&client_id=testclient&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%
>> 2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99
>> &login=true&scope=openid
>>
>> Same error in UI:
>> WE'RE SORRY ...
>> Invalid parameter: redirect_uri
>>
>> Only if I access from SpringSecurity adapter over HTTP the redirect_uri
>> has correct value and it works:
>> http://192.168.110.2:9080/auth/realms/master/protocol/openid
>> -connect/auth?response_type=code&client_id=testclient&
>> redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%
>> 2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&
>> login=true&scope=openid
>>
>> Finally I can see the login page.
>> What wrong in my configurations?
>> Any help will be appreciated.
>> Best regards,
>>    Michael
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> keycloak-user Info Page - JBoss Developer
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> lists.jboss.org
>> To see the collection of prior postings to the list, visit the
>> keycloak-user Archives. Using keycloak-user: To post a message to all the
>> list members ...
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> keycloak-user Info Page - JBoss Developer
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> lists.jboss.org
>> To see the collection of prior postings to the list, visit the
>> keycloak-user Archives. Using keycloak-user: To post a message to all the
>> list members ...
>>
>>
>

More information about the keycloak-user mailing list