[keycloak-user] Basic authentication - adapter not using backend-url for HttpPost?

Stian Thorgersen sthorger at redhat.com
Wed Jan 6 09:28:57 EST 2016 

Seems like there's two issues here:

#1 auth-server-url is set to localhost - are you doing login from the same
box as Keycloak is running on?
#2 auth-server-url-for-backend-requests is not being used by
BasicAuthRequestAuthenticator
- this is a bug, feel free to raise a jira for this one

On 4 January 2016 at 21:49, Guy Davis <guydavis.ca at gmail.com> wrote:

> Good day,
>
> I'm working with Keycloak 1.7.0.Final (in it's own Wildfly) behind a
> HAProxy instance.  A REST service is deployed (as .war) on another server
> (also behind HAProxy) in a JBoss EAP instance, protected using the Keycloak
> adapter.
>
> The deployment is protected as follows in standalone.xml of the JBoss
> instance:
>
>           <secure-deployment name="mytest.war">
>                 <realm>MyRealm</realm>
>                 <resource>my-resource</resource>
>
> <use-resource-role-mappings>true</use-resource-role-mappings>
>                 <enable-basic-auth>true</enable-basic-auth>
>                 <public-client>true</public-client>
>                 <realm-public-key>MIIB...QAB</realm-public-key>
>                 <auth-server-url>/auth</auth-server-url>
>                 <auth-server-url-for-backend-requests>
> http://proxy:8080/auth</auth-server-url-for-backend-requests>
>                 <ssl-required>NONE</ssl-required>
>
> <principal-attribute>preferred_username</principal-attribute>
>             </secure-deployment>
>
> Here is relevant section of mytest.war's web.xml:
>
>  <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>All Admin</web-resource-name>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>my-admins</role-name>
>     </auth-constraint>
>     <user-data-constraint>
>       <transport-guarantee>NONE</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>
>   <login-config>
>     <auth-method>KEYCLOAK</auth-method>
>     <realm-name>this is ignored currently</realm-name>
>   </login-config>
>   <security-role>
>     <description>Admin access for admins.</description>
>     <role-name>my-admins</role-name>
>   </security-role>
>
> Due to the use of the old JBoss EAP 6.1 server, I've had to add the
> following to mytest.war's jboss-web.xml to support proxying, with proxy
> headers added by HAProxy:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-web>
>   <security-domain>keycloak-web</security-domain>
>   <context-root>mytest</context-root>
>   <valve>
>     <class-name>org.apache.catalina.valves.RemoteIpValve</class-name>
>     <param>
>       <param-name>protocolHeader</param-name>
>       <param-value>x-forwarded-proto</param-value>
>     </param>
>   </valve>
> </jboss-web>
>
> The hostname "proxy" is resolvable within the cluster behind HAProxy and
> will result in direct access to the Keycloak instance.   From outside the
> cluster, all the services are mapped to the same HTTP namespace by
> HAProxy.  So an external request to http://[external_haproxy]/auth will
> be proxied to Keycloak in the cluster. The 'my-resource' Keycloak client
> has direct access grants enabled and is set to Public access.
>
> In testing, where the entire cluster is launched in Vagrant running on
> Windows, if I access http://localhost/mytest/api/... in a browser, I am
> shown the Keycloak login and get the REST service result as expected.  This
> tells me that the majority of my configuration above is good.
>
> However, if I use a client like curl or JMeter to send a similar HTTP
> request with the Basic authentication header added:
>     Authorization: Basic YWRtaW46YWRtaW4=
>
> Then the following is observed in the JBoss log from Keycloak adapter:
>
>   2016-01-04 20:03:49,295 DEBUG
> [org.keycloak.adapters.BasicAuthRequestAuthenticator] (http-/0.0.0.0:8080-1)
> Failed to obtain token: java.net.ConnectException: Connection refused
>
> Upon debugging through the Keycloak adapter code to watch the basic
> authentication process, I found myself
> in BasicAuthRequestAuthenticator,getToken() where I find that
> *deployment.getAuthServerBaseUrl()*  == "http://localhost/auth" which is
> not valid on the JBoss EAP system.  This tells me that the external
> hostname (Vagrant host) is being used to build the URI for contacting the
> internal Keycloak host.  In particular, the provided value for
> <auth-server-url-for-backend-requests> is not being used.  Since this Basic
> Auth code uses this URI to issue a "backend" request, I would have expected
> the <auth-server-url-for-backend-requests> value to be used.
>
> So my question is whether I am missing a basic authentication specific
> configuration step or whether I've encountered a defect in URI handling for
> basic auth + backend requests. Interestingly, in the attached Eclipse
> screenshot, the deployment object is aware of the http://proxy:8080 URI
> backend but it is not being used for authServerBaseUrl.
>
> Note, the scope of this problem is more than my Vagrant/localhost
> example.  I expect the same problem to manifest in our AWS test environment
> where external hostnames don't resolve for cluster members identified by
> internal hostnames only.  I'm hoping to find a solution before this hits
> our test environment.
>
> Thanks in advance,
> Guy
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/4ce9e681/attachment-0001.html

More information about the keycloak-user mailing list