[keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy

Christopher Wallace cjwallac at gmail.com
Thu Jan 14 14:36:14 EST 2016


Well in lieu of all the fancy NGINX configuration I found it was simply
putting KEYCLOAK to accept NON-SSL connections internally because the
connection from NGINX to KEYCLOAK itself is over HTTP. We were able to
remove all the special headers instructions in NGINX.

Thanks for you help through it, sometimes walking away for lunch is the
best idea ;-)


On Thu, Jan 14, 2016 at 12:28 PM Christopher Wallace <cjwallac at gmail.com>
wrote:

> Again Marko Thanks for the information!
>
> We did already configure our standalone server like this. What I did find
> is that we updated the .JS adapter script and enable CORS
> http://serverfault.com/questions/162429/how-do-i-add-access-control-allow-origin-in-nginx Now
> we are getting to the TOKEN step in the life cycle
>
>
>    1. Request URL:
>
>       https://sso2.company.com/auth/realms/master/protocol/openid-connect/token
>
>
>    1. Request Method:
>       POST
>       2. Status Code:
>       400 Bad Request
>       3. Remote Address:
>       99.99.99.99:443
>
>
>    1. Response Headersview source
>       1. Connection:
>       keep-alive
>       2. Content-Type:
>       application/json
>       3. Date:
>       Thu, 14 Jan 2016 17:10:45 GMT
>
>
>    1. Server:
>       nginx/1.4.6 (Ubuntu)
>       2. Transfer-Encoding:
>       chunked
>       3. X-Powered-By:
>       Undertow/1
>
>
>    1. Request Headersview source
>
>
>    1. Accept:
>       */*
>       2. Accept-Encoding:
>       gzip, deflate
>       3. Accept-Language:
>       en-US,en;q=0.8
>       4. Authorization:
>       Basic bXByLXBsYXRmb3JtOmU1MGYxO
>
>
>    1. Connection:
>       keep-alive
>       2. Content-Length:
>       202
>       3. Content-type:
>       application/x-www-form-urlencoded
>       4. Cookie:
>
>       KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzOWIxMzg3OS1mYjY5LTQ2MTAtYTdlZS1mZjA2ZjgyOTI4MzUiLCJleHAiOjE0NTI4Mjc0NDcsIm5iZiI6MCwiaWF0IjoxNDUyNzkxNDQ3LCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiYjkwMTViMGItYTUyNC00ZDVkLWJiYjMtMDI2OTk3NjY0NjM1IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.nCUDrU2Q9DQM5c2xcxLoW1pqVJNYcc-ZCUWe6HTlBVh1rwwk0V1q15Mbq0HzWcEkDWqatUTTQ0PEysH18hsOzuJdqRaaplBURwzW4S
>       5. DNT:
>       1
>       6. Host:
>       sso2.company.com
>       7. Origin:
>       http://portal.app.company.local.medicalpayreview.com
>       8. Referer:
>       http://portal.app.company.local.medicalpayreview.com/App/
>
>
>    1. User-Agent:
>       Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36
>       (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
>
>
>    1. Form Dataview sourceview URL encoded
>
>
>    1. code:
>
>       Mk9BGw2vGHNBtO-caT1Z1MEpwixV4Ke5yi5YFEubDes.d82b1938-d6a6-4c3c-99eb-0a0d1c2636be
>       2. grant_type:
>       authorization_code
>       3. redirect_uri:
>       http://portal.app.local.medicalpayreview.com/App/
>
>
> We find the following WARNING in the KEYCLOAK logs
>
> 17:10:48,891 WARN  [org.keycloak.events] (default task-13)
> type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=platform, userId=null,
> ipAddress=72.77.99.99, error=invalid_client_credentials,
> grant_type=authorization_code
>
> And and error the browser console:
>
> XMLHttpRequest cannot load
> https://sso2.medicalpayreview.com/auth/realms/master/protocol/openid-connect/token.
> No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://portal.app.company.local.medicalpayreview.com'
> is therefore not allowed access. The response had HTTP status code 400.
>
> We appreciate everyones input on getting over this challenge.
>
>
>
> On Thu, Jan 14, 2016 at 10:06 AM Marko Strukelj <mstrukel at redhat.com>
> wrote:
>
>> Maybe take a look at advice in this thread:
>> http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html
>>
>> On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace <cjwallac at gmail.com>
>> wrote:
>> > Marko, Thanks for your feedback!
>> >
>> > We have successfully pass that problem and are able to login to KEYCLOAK
>> > behind NGINX using HTTPS Proxy. Our challenge now is when our
>> applications
>> > attempt to access we get the following error:
>> >
>> > Request URL:
>> > https://sso2.company.com/auth/realms/master/tokens/access/codes
>> > Request Method:
>> > POST
>> > Status Code:
>> > 400 Bad Request
>> > Remote Address:
>> > 99.99.99.99:443
>> >
>> > Response Headersview source
>> >
>> > Connection:
>> > keep-alive
>> > Content-Type:
>> > application/json
>> > Date:
>> > Thu, 14 Jan 2016 14:35:52 GMT
>> > Server:
>> > nginx/1.4.6 (Ubuntu)
>> > Transfer-Encoding:
>> > chunked
>> > X-Powered-By:
>> > Undertow/1
>> >
>> > Request Headersview source
>> >
>> > Accept:
>> > */*
>> > Accept-Encoding:
>> > gzip, deflate
>> > Accept-Language:
>> > en-US,en;q=0.8
>> > Authorization:
>> > Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ
>> > Connection:
>> > keep-alive
>> > Content-Length:
>> > 172
>> > Content-type:
>> > application/x-www-form-urlencoded
>> > Cookie:
>> >
>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k
>> > DNT:
>> > 1
>> > Host:
>> > sso2.company.com
>> > Origin:
>> > http://app.local.company.com
>> > Referer:
>> > http://app.local.company.com/App/
>> > User-Agent:
>> > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36
>> (KHTML,
>> > like Gecko) Chrome/47.0.2526.106 Safari/537.36
>> >
>> > Form Dataview sourceview URL encoded
>> >
>> > code:
>> >
>> Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2
>> > redirect_uri:
>> > http://app.local.company.com/App/
>> >
>> > Please do note that this same application is able KEYCLOAK using
>> basically
>> > the same configuration without NGINX in the MIX. Have any thoughts was
>> to
>> > what we should look to configure differently with NGIX in the mix?
>> >
>> > On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj <mstrukel at redhat.com>
>> wrote:
>> >>
>> >> The error 'org.apache.http.conn.HttpHostConnectException: Connection to
>> >> https://sso2.domain.com refused' means that either there is a server
>> side
>> >> problem - your Nginx isn't started and listening on port 443, a
>> firewall
>> >> preventing incoming connections - or there is a client side problem -
>> a DNS
>> >> issue improperly resolving sso2.domain.com into IP on the host where
>> Tomcat
>> >> is running.
>> >>
>> >> At this point no SSL handshaking was attempted yet.
>> >>
>> >> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com
>> 443'
>> >> from the server running your Tomcat you'll see the same issue. Once
>> that
>> >> starts to work, only then will any SSL / proxying related configuration
>> >> issues start to manifest themselves.
>> >>
>> >> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace <
>> cjwallac at gmail.com>
>> >> wrote:
>> >>>
>> >>> Community, I have spent a decent amount of time attempting to get
>> >>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT
>> Application. It
>> >>> does work without the proxy, but I need the proxy to handle
>> certificates. I
>> >>> think I am pretty close to having it working, but somethings seems to
>> be
>> >>> missing... I have done the following. I appreciate any insight you
>> may have
>> >>> as I think I have exhausted other resources.
>> >>>
>> >>> 1. Configure a server in NGINX
>> >>>
>> >>> server {
>> >>>
>> >>> listen   443;
>> >>>
>> >>>
>> >>> ssl    on;
>> >>>
>> >>> ssl_certificate    /etc/ssl/certs/dcf30de94f28f16f.crt;
>> >>>
>> >>> ssl_certificate_key    /etc/ssl/certs/*.domain.key;
>> >>>
>> >>>
>> >>> server_name sso2. domain.com;
>> >>>
>> >>> access_log /var/log/nginx/nginx.sso.access.log;
>> >>>
>> >>> error_log /var/log/nginx/nginx.sso.error.log;
>> >>>
>> >>>   location / {
>> >>>
>> >>>         proxy_set_header Host $host;
>> >>>
>> >>>         proxy_set_header X-Real-IP $remote_addr;
>> >>>
>> >>>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> >>>
>> >>>         proxy_set_header X-Forwarded-Proto $scheme;
>> >>>
>> >>>         proxy_set_header X-Forwarded-Port 443;
>> >>>
>> >>>         proxy_pass http://internalip:8080;
>> >>>
>> >>>     }
>> >>>
>> >>> }
>> >>>
>> >>> 2. Enable SSL on a Reverse Proxy
>> >>>
>> >>> First add proxy-address-forwarding and redirect-socket to the
>> >>> http-listener element:
>> >>>
>> >>> <subsystem xmlns="urn:jboss:domain:undertow:1.1">
>> >>>     ...
>> >>>     <http-listener name="default" socket-binding="http"
>> >>> proxy-address-forwarding="true" redirect-socket="proxy-https"/>
>> >>>     ...
>> >>> </subsystem>
>> >>>
>> >>> Then add a new socket-binding element to the socket-binding-group
>> >>> element:
>> >>>
>> >>> <socket-binding-group name="standard-sockets"
>> default-interface="public"
>> >>> port-offset="${jboss.socket.binding.port-offset:0}">
>> >>>     ...
>> >>>     <socket-binding name="proxy-https" port="443"/>
>> >>>     ...
>> >>> </socket-binding-group>
>> >>>
>> >>>
>> >>> RECIVE THE FOLLOWING ERROR in TOMCAT:
>> >>>
>> >>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator -
>> >>> failed to turn code into token
>> >>>
>> >>> org.apache.http.conn.HttpHostConnectException: Connection to
>> >>> https://sso2.domain.com refused
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90)
>> >>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>> >>>
>> >>> at
>> >>>
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297)
>> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>> >>>
>> >>> at
>> >>>
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243)
>> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>> >>>
>> >>> at
>> >>>
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95)
>> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]
>> >>>
>> >>> at
>> >>>
>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189)
>> >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
>> >>>
>> >>> at
>> >>>
>> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28)
>> >>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]
>> >>>
>> >>> at
>> >>>
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
>> >>> [lib/:na]
>> >>>
>> >>> at
>> >>>
>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170)
>> >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]
>> >>>
>> >>> at
>> >>>
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>> >>> [lib/:na]
>> >>>
>> >>> at
>> >>>
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>> >>> [lib/:na]
>> >>>
>> >>> at
>> >>>
>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>> >>> [lib/:na]
>> >>>
>> >>> at
>> >>>
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>> >>> [lib/:na]
>> >>>
>> >>> at
>> >>>
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>> >>> [lib/:na]
>> >>>
>> >>> at
>> >>>
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)
>> >>> [tomcat-coyote.jar:8.0.18]
>> >>>
>> >>> at
>> >>>
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)
>> >>> [tomcat-coyote.jar:8.0.18]
>> >>>
>> >>> at
>> >>>
>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
>> >>> [tomcat-coyote.jar:8.0.18]
>> >>>
>> >>> at
>> >>> org.apache.tomcat.util.net
>> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>> >>> [tomcat-coyote.jar:8.0.18]
>> >>>
>> >>> at
>> >>> org.apache.tomcat.util.net
>> .NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>> >>> [tomcat-coyote.jar:8.0.18]
>> >>>
>> >>> at
>> >>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> >>> [na:1.8.0_25]
>> >>>
>> >>> at
>> >>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> >>> [na:1.8.0_25]
>> >>>
>> >>> at
>> >>>
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> >>> [tomcat-util.jar:8.0.18]
>> >>>
>> >>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]
>> >>>
>> >>> Caused by: java.net.ConnectException: Connection timed out
>> >>>
>> >>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>> ~[na:1.8.0_25]
>> >>>
>> >>> at
>> >>> java.net
>> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
>> >>> ~[na:1.8.0_25]
>> >>>
>> >>> at
>> >>> java.net
>> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>> >>> ~[na:1.8.0_25]
>> >>>
>> >>> at
>> >>> java.net
>> .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>> >>> ~[na:1.8.0_25]
>> >>>
>> >>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>> >>> ~[na:1.8.0_25]
>> >>>
>> >>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]
>> >>>
>> >>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)
>> >>> ~[na:1.8.0_25]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> at
>> >>>
>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
>> >>> ~[httpclient-4.2.1.jar:4.2.1]
>> >>>
>> >>> ... 29 common frames omitted
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-user mailing list
>> >>> keycloak-user at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >>
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/26dbc417/attachment-0001.html 


More information about the keycloak-user mailing list