[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue

Thu Jan 28 00:47:44 EST 2016

Hi everyone,

I am experimenting "too many redirects"/infinite loops issues in the
browser when I try to connect with social providers. I am also getting
internal server error on Chrome via google account (Caused by:
java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
configuration, but I did everything "by the book":

# realm Require SSL:none

#nginx
http {
        gzip on;
        gzip_proxied any;
        #gzip_proxied no-cache no-store private expired auth;
        gzip_types text/plain text/html text/css application/json
application/x-javascript  application/xml application/xml+rss
text/javascript application/javascript text/x-js;
        #gzip_min_length 1000;

        server_tokens off; #hides nginx version and OS running on
        include /etc/nginx/mime.types;

        upstream tomcat_server {
                server localhost:8080;
        }
        upstream keycloak_server {
                server localhost:8180;
        }

        server {
                listen 80;
                server_name podcastmania.ro;
                return 301 https://$host$request_uri;
        }

        server {

                listen 443 ssl;

                server_name podcastmania.ro www.podcastmania.ro;

           ssl_certificate /etc/nginx/ssl/nginx.crt;
           ssl_certificate_key /etc/nginx/ssl/nginx.key;
         location / {
                root /opt/tomcat/webapps/ROOT;
                try_files $uri /maintenance.html @tomcat;
            }

            location @tomcat {
                proxy_pass http://tomcat_server;

                proxy_set_header Host $host; #to change the "Host" header
set by default to $proxy_host to $host - the originating host request
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For
 $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
            }

            location /auth/ {
                root
/opt/keycloak/standalone/configuration/themes/keycloak/;
                try_files $uri @keycloak;
            }

             location @keycloak {
                proxy_pass http://keycloak_server;

                proxy_set_header Host               $host;
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For
 $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
                proxy_set_header X-Forwarded-Port   443;
            }

        }

# standalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http"
*redirect-socket="proxy-https"
 proxy-address-forwarding="true"*/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                </host>
            </server>

    <socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:100}">
        <socket-binding name="management-http" interface="management"
port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management"
port="${jboss.management.https.port:9993}"/>
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
*        <socket-binding name="proxy-https" port="443"/>*
         <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>

# app:spring security configuration

<context:component-scan base-package="org.keycloak.adapters.springsecurity" />

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="keycloakAuthenticationProvider" />
</security:authentication-manager>

<bean id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
  <constructor-arg value="classpath:keycloak.json" />
</bean>
<bean id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/>
<bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/>
<bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/>
<bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
  <constructor-arg name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
  <constructor-arg ref="adapterDeploymentContext" />
</bean>

<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
  <constructor-arg name="logoutSuccessUrl" value="/" />
  <constructor-arg name="handlers">
    <list>
      <ref bean="keycloakLogoutHandler" />
      <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
    </list>
  </constructor-arg>
  <property name="logoutRequestMatcher">
    <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
      <constructor-arg name="pattern" value="/sso/logout**" />
      <constructor-arg name="httpMethod" value="GET" />
    </bean>
  </property>
</bean>

<security:http auto-config="false" use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
  <security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
  <security:custom-filter ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
  <security:intercept-url pattern="/users/registration" access="permitAll"/>
  <security:intercept-url pattern="/users/registration/confirm-email"
access="permitAll"/>
  <security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
  <security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
  <security:intercept-url
pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
  <security:intercept-url
pattern="/users/password-forgotten/confirmed" access="permitAll"/>
  <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
  <security:intercept-url pattern="/**" access="permitAll"/>
  <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
</security:http>

Has anyone faced similar issues?

Thanks,
Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/412c6012/attachment-0001.html 