[keycloak-user] Basic authentication - adapter not using backend-url for HttpPost?
Stian Thorgersen
sthorger at redhat.com
Wed Jan 6 09:28:57 EST 2016
Seems like there's two issues here:
#1 auth-server-url is set to localhost - are you doing login from the same
box as Keycloak is running on?
#2 auth-server-url-for-backend-requests is not being used by
BasicAuthRequestAuthenticator
- this is a bug, feel free to raise a jira for this one
On 4 January 2016 at 21:49, Guy Davis <guydavis.ca at gmail.com> wrote:
> Good day,
>
> I'm working with Keycloak 1.7.0.Final (in it's own Wildfly) behind a
> HAProxy instance. A REST service is deployed (as .war) on another server
> (also behind HAProxy) in a JBoss EAP instance, protected using the Keycloak
> adapter.
>
> The deployment is protected as follows in standalone.xml of the JBoss
> instance:
>
> <secure-deployment name="mytest.war">
> <realm>MyRealm</realm>
> <resource>my-resource</resource>
>
> <use-resource-role-mappings>true</use-resource-role-mappings>
> <enable-basic-auth>true</enable-basic-auth>
> <public-client>true</public-client>
> <realm-public-key>MIIB...QAB</realm-public-key>
> <auth-server-url>/auth</auth-server-url>
> <auth-server-url-for-backend-requests>
> http://proxy:8080/auth</auth-server-url-for-backend-requests>
> <ssl-required>NONE</ssl-required>
>
> <principal-attribute>preferred_username</principal-attribute>
> </secure-deployment>
>
> Here is relevant section of mytest.war's web.xml:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>All Admin</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>my-admins</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>this is ignored currently</realm-name>
> </login-config>
> <security-role>
> <description>Admin access for admins.</description>
> <role-name>my-admins</role-name>
> </security-role>
>
> Due to the use of the old JBoss EAP 6.1 server, I've had to add the
> following to mytest.war's jboss-web.xml to support proxying, with proxy
> headers added by HAProxy:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-web>
> <security-domain>keycloak-web</security-domain>
> <context-root>mytest</context-root>
> <valve>
> <class-name>org.apache.catalina.valves.RemoteIpValve</class-name>
> <param>
> <param-name>protocolHeader</param-name>
> <param-value>x-forwarded-proto</param-value>
> </param>
> </valve>
> </jboss-web>
>
> The hostname "proxy" is resolvable within the cluster behind HAProxy and
> will result in direct access to the Keycloak instance. From outside the
> cluster, all the services are mapped to the same HTTP namespace by
> HAProxy. So an external request to http://[external_haproxy]/auth will
> be proxied to Keycloak in the cluster. The 'my-resource' Keycloak client
> has direct access grants enabled and is set to Public access.
>
> In testing, where the entire cluster is launched in Vagrant running on
> Windows, if I access http://localhost/mytest/api/... in a browser, I am
> shown the Keycloak login and get the REST service result as expected. This
> tells me that the majority of my configuration above is good.
>
> However, if I use a client like curl or JMeter to send a similar HTTP
> request with the Basic authentication header added:
> Authorization: Basic YWRtaW46YWRtaW4=
>
> Then the following is observed in the JBoss log from Keycloak adapter:
>
> 2016-01-04 20:03:49,295 DEBUG
> [org.keycloak.adapters.BasicAuthRequestAuthenticator] (http-/0.0.0.0:8080-1)
> Failed to obtain token: java.net.ConnectException: Connection refused
>
> Upon debugging through the Keycloak adapter code to watch the basic
> authentication process, I found myself
> in BasicAuthRequestAuthenticator,getToken() where I find that
> *deployment.getAuthServerBaseUrl()* == "http://localhost/auth" which is
> not valid on the JBoss EAP system. This tells me that the external
> hostname (Vagrant host) is being used to build the URI for contacting the
> internal Keycloak host. In particular, the provided value for
> <auth-server-url-for-backend-requests> is not being used. Since this Basic
> Auth code uses this URI to issue a "backend" request, I would have expected
> the <auth-server-url-for-backend-requests> value to be used.
>
> So my question is whether I am missing a basic authentication specific
> configuration step or whether I've encountered a defect in URI handling for
> basic auth + backend requests. Interestingly, in the attached Eclipse
> screenshot, the deployment object is aware of the http://proxy:8080 URI
> backend but it is not being used for authServerBaseUrl.
>
> Note, the scope of this problem is more than my Vagrant/localhost
> example. I expect the same problem to manifest in our AWS test environment
> where external hostnames don't resolve for cluster members identified by
> internal hostnames only. I'm hoping to find a solution before this hits
> our test environment.
>
> Thanks in advance,
> Guy
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/4ce9e681/attachment-0001.html
More information about the keycloak-user
mailing list