[keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy
Christopher Wallace
cjwallac at gmail.com
Thu Jan 14 12:28:10 EST 2016
Again Marko Thanks for the information!
We did already configure our standalone server like this. What I did find
is that we updated the .JS adapter script and enable CORS
http://serverfault.com/questions/162429/how-do-i-add-access-control-allow-origin-in-nginx
Now
we are getting to the TOKEN step in the life cycle
1. Request URL:
https://sso2.company.com/auth/realms/master/protocol/openid-connect/token
2. Request Method:
POST
3. Status Code:
400 Bad Request
4. Remote Address:
99.99.99.99:443
1. Response Headersview source
1. Connection:
keep-alive
2. Content-Type:
application/json
3. Date:
Thu, 14 Jan 2016 17:10:45 GMT
4. Server:
nginx/1.4.6 (Ubuntu)
5. Transfer-Encoding:
chunked
6. X-Powered-By:
Undertow/1
2. Request Headersview source
1. Accept:
*/*
2. Accept-Encoding:
gzip, deflate
3. Accept-Language:
en-US,en;q=0.8
4. Authorization:
Basic bXByLXBsYXRmb3JtOmU1MGYxO
5. Connection:
keep-alive
6. Content-Length:
202
7. Content-type:
application/x-www-form-urlencoded
8. Cookie:
KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzOWIxMzg3OS1mYjY5LTQ2MTAtYTdlZS1mZjA2ZjgyOTI4MzUiLCJleHAiOjE0NTI4Mjc0NDcsIm5iZiI6MCwiaWF0IjoxNDUyNzkxNDQ3LCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiYjkwMTViMGItYTUyNC00ZDVkLWJiYjMtMDI2OTk3NjY0NjM1IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.nCUDrU2Q9DQM5c2xcxLoW1pqVJNYcc-ZCUWe6HTlBVh1rwwk0V1q15Mbq0HzWcEkDWqatUTTQ0PEysH18hsOzuJdqRaaplBURwzW4S
9. DNT:
1
10. Host:
sso2.company.com
11. Origin:
http://portal.app.company.local.medicalpayreview.com
12. Referer:
http://portal.app.company.local.medicalpayreview.com/App/
13. User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
3. Form Dataview sourceview URL encoded
1. code:
Mk9BGw2vGHNBtO-caT1Z1MEpwixV4Ke5yi5YFEubDes.d82b1938-d6a6-4c3c-99eb-0a0d1c2636be
2. grant_type:
authorization_code
3. redirect_uri:
http://portal.app.local.medicalpayreview.com/App/
We find the following WARNING in the KEYCLOAK logs
17:10:48,891 WARN [org.keycloak.events] (default task-13)
type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=platform, userId=null,
ipAddress=72.77.99.99, error=invalid_client_credentials,
grant_type=authorization_code
And and error the browser console:
XMLHttpRequest cannot load
https://sso2.medicalpayreview.com/auth/realms/master/protocol/openid-connect/token.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://portal.app.company.local.medicalpayreview.com' is
therefore not allowed access. The response had HTTP status code 400.
We appreciate everyones input on getting over this challenge.
On Thu, Jan 14, 2016 at 10:06 AM Marko Strukelj <mstrukel at redhat.com> wrote:
> Maybe take a look at advice in this thread:
> http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html
>
> On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace <cjwallac at gmail.com>
> wrote:
> > Marko, Thanks for your feedback!
> >
> > We have successfully pass that problem and are able to login to KEYCLOAK
> > behind NGINX using HTTPS Proxy. Our challenge now is when our
> applications
> > attempt to access we get the following error:
> >
> > Request URL:
> > https://sso2.company.com/auth/realms/master/tokens/access/codes
> > Request Method:
> > POST
> > Status Code:
> > 400 Bad Request
> > Remote Address:
> > 99.99.99.99:443
> >
> > Response Headersview source
> >
> > Connection:
> > keep-alive
> > Content-Type:
> > application/json
> > Date:
> > Thu, 14 Jan 2016 14:35:52 GMT
> > Server:
> > nginx/1.4.6 (Ubuntu)
> > Transfer-Encoding:
> > chunked
> > X-Powered-By:
> > Undertow/1
> >
> > Request Headersview source
> >
> > Accept:
> > */*
> > Accept-Encoding:
> > gzip, deflate
> > Accept-Language:
> > en-US,en;q=0.8
> > Authorization:
> > Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ
> > Connection:
> > keep-alive
> > Content-Length:
> > 172
> > Content-type:
> > application/x-www-form-urlencoded
> > Cookie:
> >
> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k
> > DNT:
> > 1
> > Host:
> > sso2.company.com
> > Origin:
> > http://app.local.company.com
> > Referer:
> > http://app.local.company.com/App/
> > User-Agent:
> > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36
> (KHTML,
> > like Gecko) Chrome/47.0.2526.106 Safari/537.36
> >
> > Form Dataview sourceview URL encoded
> >
> > code:
> >
> Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2
> > redirect_uri:
> > http://app.local.company.com/App/
> >
> > Please do note that this same application is able KEYCLOAK using
> basically
> > the same configuration without NGINX in the MIX. Have any thoughts was to
> > what we should look to configure differently with NGIX in the mix?
> >
> > On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj <mstrukel at redhat.com>
> wrote:
> >>
> >> The error 'org.apache.http.conn.HttpHostConnectException: Connection to
> >> https://sso2.domain.com refused' means that either there is a server
> side
> >> problem - your Nginx isn't started and listening on port 443, a firewall
> >> preventing incoming connections - or there is a client side problem - a
> DNS
> >> issue improperly resolving sso2.domain.com into IP on the host where
> Tomcat
> >> is running.
> >>
> >> At this point no SSL handshaking was attempted yet.
> >>
> >> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com
> 443'
> >> from the server running your Tomcat you'll see the same issue. Once that
> >> starts to work, only then will any SSL / proxying related configuration
> >> issues start to manifest themselves.
> >>
> >> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace <
> cjwallac at gmail.com>
> >> wrote:
> >>>
> >>> Community, I have spent a decent amount of time attempting to get
> >>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT
> Application. It
> >>> does work without the proxy, but I need the proxy to handle
> certificates. I
> >>> think I am pretty close to having it working, but somethings seems to
> be
> >>> missing... I have done the following. I appreciate any insight you may
> have
> >>> as I think I have exhausted other resources.
> >>>
> >>> 1. Configure a server in NGINX
> >>>
> >>> server {
> >>>
> >>> listen 443;
> >>>
> >>>
> >>> ssl on;
> >>>
> >>> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt;
> >>>
> >>> ssl_certificate_key /etc/ssl/certs/*.domain.key;
> >>>
> >>>
> >>> server_name sso2. domain.com;
> >>>
> >>> access_log /var/log/nginx/nginx.sso.access.log;
> >>>
> >>> error_log /var/log/nginx/nginx.sso.error.log;
> >>>
> >>> location / {
> >>>
> >>> proxy_set_header Host $host;
> >>>
> >>> proxy_set_header X-Real-IP $remote_addr;
> >>>
> >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >>>
> >>> proxy_set_header X-Forwarded-Proto $scheme;
> >>>
> >>> proxy_set_header X-Forwarded-Port 443;
> >>>
> >>> proxy_pass http://internalip:8080;
> >>>
> >>> }
> >>>
> >>> }
> >>>
> >>> 2. Enable SSL on a Reverse Proxy
> >>>
> >>> First add proxy-address-forwarding and redirect-socket to the
> >>> http-listener element:
> >>>
> >>> <subsystem xmlns="urn:jboss:domain:undertow:1.1">
> >>> ...
> >>> <http-listener name="default" socket-binding="http"
> >>> proxy-address-forwarding="true" redirect-socket="proxy-https"/>
> >>> ...
> >>> </subsystem>
> >>>
> >>> Then add a new socket-binding element to the socket-binding-group
> >>> element:
> >>>
> >>> <socket-binding-group name="standard-sockets"
> default-interface="public"
> >>> port-offset="${jboss.socket.binding.port-offset:0}">
> >>> ...
> >>> <socket-binding name="proxy-https" port="443"/>
> >>> ...
> >>> </socket-binding-group>
> >>>
> >>>
> >>> RECIVE THE FOLLOWING ERROR in TOMCAT:
> >>>
> >>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator -
> >>> failed to turn code into token
> >>>
> >>> org.apache.http.conn.HttpHostConnectException: Connection to
> >>> https://sso2.domain.com refused
> >>>
> >>> at
> >>>
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90)
> >>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
> >>>
> >>> at
> >>>
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297)
> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
> >>>
> >>> at
> >>>
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243)
> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
> >>>
> >>> at
> >>>
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95)
> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
> >>>
> >>> at
> >>>
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189)
> >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
> >>>
> >>> at
> >>>
> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28)
> >>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]
> >>>
> >>> at
> >>>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
> >>> [lib/:na]
> >>>
> >>> at
> >>>
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170)
> >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
> >>>
> >>> at
> >>>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
> >>> [lib/:na]
> >>>
> >>> at
> >>>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> >>> [lib/:na]
> >>>
> >>> at
> >>>
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
> >>> [lib/:na]
> >>>
> >>> at
> >>>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> >>> [lib/:na]
> >>>
> >>> at
> >>>
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
> >>> [lib/:na]
> >>>
> >>> at
> >>>
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)
> >>> [tomcat-coyote.jar:8.0.18]
> >>>
> >>> at
> >>>
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)
> >>> [tomcat-coyote.jar:8.0.18]
> >>>
> >>> at
> >>>
> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
> >>> [tomcat-coyote.jar:8.0.18]
> >>>
> >>> at
> >>> org.apache.tomcat.util.net
> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
> >>> [tomcat-coyote.jar:8.0.18]
> >>>
> >>> at
> >>> org.apache.tomcat.util.net
> .NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
> >>> [tomcat-coyote.jar:8.0.18]
> >>>
> >>> at
> >>>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >>> [na:1.8.0_25]
> >>>
> >>> at
> >>>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >>> [na:1.8.0_25]
> >>>
> >>> at
> >>>
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> >>> [tomcat-util.jar:8.0.18]
> >>>
> >>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]
> >>>
> >>> Caused by: java.net.ConnectException: Connection timed out
> >>>
> >>> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]
> >>>
> >>> at
> >>> java.net
> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
> >>> ~[na:1.8.0_25]
> >>>
> >>> at
> >>> java.net
> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
> >>> ~[na:1.8.0_25]
> >>>
> >>> at
> >>> java.net
> .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
> >>> ~[na:1.8.0_25]
> >>>
> >>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> >>> ~[na:1.8.0_25]
> >>>
> >>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]
> >>>
> >>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)
> >>> ~[na:1.8.0_25]
> >>>
> >>> at
> >>>
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> at
> >>>
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
> >>> ~[httpclient-4.2.1.jar:4.2.1]
> >>>
> >>> ... 29 common frames omitted
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/02aa8993/attachment-0001.html
More information about the keycloak-user
mailing list