[keycloak-user] How to work with SpringSecurity adapter behind HTTP proxy?

Mon Dec 19 15:24:14 EST 2016

Hi!

Are you using Tomcat? Please have a look at the two documents below. You
need to configure Tomcat properly when behind a load balancer and not using
AJP.

http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html

http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve

Best regards,
Thomas

On Dec 19, 2016 10:07 PM, "Michael Furman" <michael_furman at hotmail.com>
wrote:

> HI Sebastien,
> I really need your help.
> I read the thread, I have configured the Apache HTTP proxy to send all
> required X-Forward* headers.
> Unfortunately the redirect URI string still created in the wrong way.
> According to my understanding in the Spring Security Adapter should be
> code that handle the X-Forward* headers.
> Like io.undertow.server.handlers.ProxyPeerAddressHandler in the IDP.
> Can you point me to the code that handle the X-Forward* headers?
> May be I will found the bug and I will be able to fix it.
> Thanks in advance,
> Best regards,
>    Michael
>
>
> ________________________________
> From: Sebastien Blanc <sblanc at redhat.com>
> Sent: Thursday, December 15, 2016 12:45 PM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: How to work with SpringSecurity adapter behind HTTP proxy?
>
> Hi Michael !
>
> Before we do any code change , could you check if your answer is not in
> the following thread ? http://lists.jboss.org/
> pipermail/keycloak-user/2016-May/006287.html
> Looks like SpringSec should handle correctly the x-forwarded-proto and
> host headers ...
>
>
>
> On Thu, Dec 15, 2016 at 9:10 AM, Michael Furman <
> michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
> HI Sebastien,
> (I have changed the subject since the root cause of the problem is
> different).
> I have debugged the code and I have found the following.
> Please look at getRedirectUri of org.keycloak.adapters.
> OAuthRequestAuthenticator:
> It just takes the request URI and creates the redirect URI string:
>     protected String getRedirectUri(String state) {
>         String url = this.getRequestUrl();
>
> Please note that when you work behind getRequestUrl() will always be
> localhost and therefore I think SpringSecurity adapter can not work behind
> HTTP proxy.
>
> How can I change the code in the minimal way it will support the HTTP
> proxy?
> Best regards,
>    Michael
>
>
>
> ________________________________
> From: Michael Furman <michael_furman at hotmail.com<mailto:
> michael_furman at hotmail.com>>
> Sent: Tuesday, December 13, 2016 2:25 PM
> To: Sebastien Blanc
> Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
> SpringSecurity adapter over HTTPS.
>
> Thanks Sebastien,
> I see the link but supposed it is related only to Keycloak IDP.
> Is it also relevant to SpringSecurity adapter?
> Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers?
> Best regards,
>    Michael
>
>
> ________________________________
> From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
> Sent: Tuesday, December 13, 2016 2:19 PM
> To: Michael Furman
> Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
> SpringSecurity adapter over HTTPS.
>
> TBH I have not that much experience with configuring a proxy but :
> - Have you looked at https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/topics/clustering/load-balancer.html (it also cover
> proxy configuration)
> - Search the user list, I see often question around this maybe you can
> find your answer there)
>
>
>
> On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman <
> michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
> HI Sebastien,
> The problem is not related to HTTPS but to the reverse proxy
> When I access to SpringSecurity adapter RP over HTTP but behind the Apache
> HTTPD reverse proxy (the client configuration in IDP configured also HTTP)
> the redirect_uri is replaced to localhost:
> http://192.168.110.2:9080/auth/realms/master/protocol/
> openid-connect/auth?response_type=code&client_id=
> testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%
> 2Fapp%2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-
> 1f99d2278836&login=true&scope=openid
> Then, I get the error
>
> WE'RE SORRY ...
> Invalid parameter: redirect_uri
>
> What should I configure to allow to work with proxy?
> Any help will be appreciated.
> Best regards,
>    Michael
>
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-
> user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Michael
> Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>
> Sent: Tuesday, December 13, 2016 1:17 PM
> To: Sebastien Blanc
>
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
> SpringSecurity adapter over HTTPS.
>
> Hi,
> Important clarification:
> The HTTPS handshake is by Apache httpd server that is also reverse proxy
> for Tomcat.
>
>
> Tomcat is located on the same ip.
>
> SpringSecurity RP is deployed in Tomcat.
>
> Best regards
>
>
>
>
> On Dec 13, 2016 12:44 PM, Michael Furman <michael_furman at hotmail.com<
> mailto:michael_furman at hotmail.com>> wrote:
>
> Example 2:
>
> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
> configured also HTTPS)
>
> IDP is over HTTP
>
>
>
> Example 3:
>
> SpringSecurity adapter RP is over HTTP (the client configuration in IDP
> configured also HTTP)
>
> IDP is over HTTP
>
>
>
> BTW,
>
> Example 1:
>
> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP
> configured also HTTPS)
>
> IDP is over HTTPS
>
>
>
> ________________________________
> From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
> Sent: Tuesday, December 13, 2016 12:23 PM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Very strange behavior when access to IDP from
> SpringSecurity adapter over HTTPS.
>
> What is the difference between your example 2 and example 3 ?
>
> On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman <
> michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:
> michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Hi all,
> I try to access from SpringSecurity adapter over HTTPS without success.
> When I try to access to IDP over HTTPS the redirect_uri is replaced to
> localhost:
>
> https://192.168.110.2:8443/auth/realms/master/protocol/
> openid-connect/auth?response_type=code&client_id=
> testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%
> 2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-
> ba1e3eae8084&login=true&scope=openid
>
> Then I get this error in UI:
> WE'RE SORRY ...
> Invalid parameter: redirect_uri
>
> Similar, when I try to access to IDP over HTTP, the redirect_uri is
> replaced to localhost:
> http://192.168.110.2:9080/auth/realms/master/protocol/
> openid-connect/auth?response_type=code&client_id=
> testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%
> 2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-
> 07d0a7f4bc99&login=true&scope=openid
>
> Same error in UI:
> WE'RE SORRY ...
> Invalid parameter: redirect_uri
>
> Only if I access from SpringSecurity adapter over HTTP the redirect_uri
> has correct value and it works:
> http://192.168.110.2:9080/auth/realms/master/protocol/
> openid-connect/auth?response_type=code&client_id=
> testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%
> 2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-
> c882c9625479&login=true&scope=openid
>
> Finally I can see the login page.
> What wrong in my configurations?
> Any help will be appreciated.
> Best regards,
>    Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
> org/mailman/listinfo/keycloak-user>
> lists.jboss.org<http://lists.jboss.org>
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
> org/mailman/listinfo/keycloak-user>
> lists.jboss.org<http://lists.jboss.org>
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>