[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue
Marek Posolda
mposolda at redhat.com
Thu Jan 28 06:28:21 EST 2016
I suppose you're using Keycloak 1.7? There is known issue related to
this NoClassDefFoundError . You can workaround it by edit file
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
and add the line:
<module name="org.keycloak.keycloak-broker-core"/>
into dependencies section. Same for module
$KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
Marek
On 28/01/16 06:47, Adrian Matei wrote:
> Hi everyone,
>
> I am experimenting "too many redirects"/infinite loops issues in the
> browser when I try to connect with social providers. I am also getting
> internal server error on Chrome via google account (Caused by:
> java.lang.NoClassDefFoundError:
> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
> configuration, but I did everything "by the book":
>
> # realm Require SSL:none
>
> #nginx
> http {
> gzip on;
> gzip_proxied any;
> #gzip_proxied no-cache no-store private expired auth;
> gzip_types text/plain text/html text/css application/json
> application/x-javascript application/xml application/xml+rss
> text/javascript application/javascript text/x-js;
> #gzip_min_length 1000;
>
>
> server_tokens off; #hides nginx version and OS running on
> include /etc/nginx/mime.types;
>
>
> upstream tomcat_server {
> server localhost:8080;
> }
> upstream keycloak_server {
> server localhost:8180;
> }
>
> server {
> listen 80;
> server_name podcastmania.ro <http://podcastmania.ro/>;
> return 301 https://$host$request_uri;
> }
>
> server {
>
> listen 443 ssl;
>
> server_name podcastmania.ro <http://podcastmania.ro/>
> www.podcastmania.ro <http://www.podcastmania.ro/>;
>
> ssl_certificate /etc/nginx/ssl/nginx.crt;
> ssl_certificate_key /etc/nginx/ssl/nginx.key;
> location / {
> root /opt/tomcat/webapps/ROOT;
> try_files $uri /maintenance.html @tomcat;
> }
>
> location @tomcat {
> proxy_pass http://tomcat_server <http://tomcat_server/>;
>
> proxy_set_header Host $host; #to change the "Host"
> header set by default to $proxy_host to $host - the originating host
> request
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> }
>
>
> location /auth/ {
> root
> /opt/keycloak/standalone/configuration/themes/keycloak/;
> try_files $uri @keycloak;
> }
>
> location @keycloak {
> proxy_pass http://keycloak_server
> <http://keycloak_server/>;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Port 443;
> }
>
>
> }
>
>
> # standalone.xml
> <subsystem xmlns="urn:jboss:domain:undertow:2.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default" socket-binding="http"
> *redirect-socket="proxy-https" proxy-address-forwarding="true"*/>
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <filter-ref name="server-header"/>
> <filter-ref name="x-powered-by-header"/>
> </host>
> </server>
>
> <socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:100}">
> <socket-binding name="management-http" interface="management"
> port="${jboss.management.http.port:9990}"/>
> <socket-binding name="management-https" interface="management"
> port="${jboss.management.https.port:9993}"/>
> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
> <socket-binding name="http" port="${jboss.http.port:8080}"/>
> <socket-binding name="https" port="${jboss.https.port:8443}"/>
> <socket-binding name="txn-recovery-environment" port="4712"/>
> <socket-binding name="txn-status-manager" port="4713"/>
> * <socket-binding name="proxy-https" port="443"/>*
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost" port="25"/>
> </outbound-socket-binding>
> </socket-binding-group>
>
> # app:spring security configuration
> <context:component-scan
> base-package="org.keycloak.adapters.springsecurity" />
>
> <security:authentication-manager alias="authenticationManager">
> <security:authentication-provider ref="keycloakAuthenticationProvider" />
> </security:authentication-manager>
>
> <bean id="adapterDeploymentContext"
> class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
> <constructor-arg value="classpath:keycloak.json" />
> </bean>
> <bean id="keycloakAuthenticationEntryPoint"
> class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
> />
> <bean id="keycloakAuthenticationProvider"
> class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
> />
> <bean id="keycloakPreAuthActionsFilter"
> class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
> />
> <bean id="keycloakAuthenticationProcessingFilter"
> class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
> <constructor-arg name="authenticationManager"
> ref="authenticationManager" />
> </bean>
>
> <bean id="keycloakLogoutHandler"
> class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
> <constructor-arg ref="adapterDeploymentContext" />
> </bean>
>
> <bean id="logoutFilter"
> class="org.springframework.security.web.authentication.logout.LogoutFilter">
> <constructor-arg name="logoutSuccessUrl" value="/" />
> <constructor-arg name="handlers">
> <list>
> <ref bean="keycloakLogoutHandler" />
> <bean
> class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
> />
> </list>
> </constructor-arg>
> <property name="logoutRequestMatcher">
> <bean
> class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
> <constructor-arg name="pattern" value="/sso/logout**" />
> <constructor-arg name="httpMethod" value="GET" />
> </bean>
> </property>
> </bean>
>
> <security:http auto-config="false" use-expressions="true"
> entry-point-ref="keycloakAuthenticationEntryPoint">
> <security:custom-filter ref="keycloakPreAuthActionsFilter"
> before="LOGOUT_FILTER" />
> <security:custom-filter ref="keycloakAuthenticationProcessingFilter"
> before="FORM_LOGIN_FILTER" />
> <security:intercept-url pattern="/users/registration" access="permitAll"/>
> <security:intercept-url pattern="/users/registration/confirm-email"
> access="permitAll"/>
> <security:intercept-url pattern="/users/registration/confirmed"
> access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten"
> access="permitAll"/>
> <security:intercept-url
> pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten/confirmed"
> access="permitAll"/>
> <security:intercept-url pattern="/users/**/*"
> access="hasRole('ROLE_USER')"/>
> <security:intercept-url pattern="/**" access="permitAll"/>
> <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
> </security:http>
>
> Has anyone faced similar issues?
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/46bbdf0c/attachment-0001.html
More information about the keycloak-user
mailing list