[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue
Adrian Matei
adrianmatei at gmail.com
Thu Jan 28 07:23:50 EST 2016
Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the
same "This webpage has a redirect loop" message when trying to sign in with
Google also...
On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda at redhat.com> wrote:
> I suppose you're using Keycloak 1.7? There is known issue related to this
> NoClassDefFoundError . You can workaround it by edit file
> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
> and add the line:
>
> <module name="org.keycloak.keycloak-broker-core"/>
>
> into dependencies section. Same for module
> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
>
> Marek
>
>
>
> On 28/01/16 06:47, Adrian Matei wrote:
>
> Hi everyone,
>
> I am experimenting "too many redirects"/infinite loops issues in the
> browser when I try to connect with social providers. I am also getting
> internal server error on Chrome via google account (Caused by:
> java.lang.NoClassDefFoundError:
> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
> configuration, but I did everything "by the book":
>
> # realm Require SSL:none
>
> #nginx
> http {
> gzip on;
> gzip_proxied any;
> #gzip_proxied no-cache no-store private expired auth;
> gzip_types text/plain text/html text/css application/json
> application/x-javascript application/xml application/xml+rss
> text/javascript application/javascript text/x-js;
> #gzip_min_length 1000;
>
>
> server_tokens off; #hides nginx version and OS running on
> include /etc/nginx/mime.types;
>
>
> upstream tomcat_server {
> server localhost:8080;
> }
> upstream keycloak_server {
> server localhost:8180;
> }
>
> server {
> listen 80;
> server_name podcastmania.ro;
> return 301 https://$host$request_uri;
> }
>
> server {
>
> listen 443 ssl;
>
> server_name podcastmania.ro <http://www.podcastmania.ro/>
> www.podcastmania.ro;
>
> ssl_certificate /etc/nginx/ssl/nginx.crt;
> ssl_certificate_key /etc/nginx/ssl/nginx.key;
> location / {
> root /opt/tomcat/webapps/ROOT;
> try_files $uri /maintenance.html @tomcat;
> }
>
> location @tomcat {
> proxy_pass http://tomcat_server;
>
> proxy_set_header Host $host; #to change the "Host" header
> set by default to $proxy_host to $host - the originating host request
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> }
>
>
> location /auth/ {
> root
> /opt/keycloak/standalone/configuration/themes/keycloak/;
> try_files $uri @keycloak;
> }
>
> location @keycloak {
> proxy_pass http://keycloak_server;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Forwarded-Port 443;
> }
>
>
> }
>
>
> # standalone.xml
> <subsystem xmlns="urn:jboss:domain:undertow:2.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default" socket-binding="http" *redirect-socket="proxy-https"
> proxy-address-forwarding="true"*/>
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <filter-ref name="server-header"/>
> <filter-ref name="x-powered-by-header"/>
> </host>
> </server>
>
> <socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:100}">
> <socket-binding name="management-http" interface="management"
> port="${jboss.management.http.port:9990}"/>
> <socket-binding name="management-https" interface="management"
> port="${jboss.management.https.port:9993}"/>
> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
> <socket-binding name="http" port="${jboss.http.port:8080}"/>
> <socket-binding name="https" port="${jboss.https.port:8443}"/>
> <socket-binding name="txn-recovery-environment" port="4712"/>
> <socket-binding name="txn-status-manager" port="4713"/>
> * <socket-binding name="proxy-https" port="443"/>*
> <outbound-socket-binding name="mail-smtp">
> <remote-destination host="localhost" port="25"/>
> </outbound-socket-binding>
> </socket-binding-group>
>
> # app:spring security configuration
>
> <context:component-scan base-package="org.keycloak.adapters.springsecurity" />
> <security:authentication-manager alias="authenticationManager">
> <security:authentication-provider ref="keycloakAuthenticationProvider" /></security:authentication-manager>
> <bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
> <constructor-arg value="classpath:keycloak.json" /></bean><bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" /><bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" /><bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" /><bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
> <constructor-arg name="authenticationManager" ref="authenticationManager" /></bean>
> <bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
> <constructor-arg ref="adapterDeploymentContext" /></bean>
> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
> <constructor-arg name="logoutSuccessUrl" value="/" />
> <constructor-arg name="handlers">
> <list>
> <ref bean="keycloakLogoutHandler" />
> <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
> </list>
> </constructor-arg>
> <property name="logoutRequestMatcher">
> <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
> <constructor-arg name="pattern" value="/sso/logout**" />
> <constructor-arg name="httpMethod" value="GET" />
> </bean>
> </property></bean>
> <security:http auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint">
> <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
> <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
> <security:intercept-url pattern="/users/registration" access="permitAll"/>
> <security:intercept-url pattern="/users/registration/confirm-email" access="permitAll"/>
> <security:intercept-url pattern="/users/registration/confirmed" access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten" access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
> <security:intercept-url pattern="/users/password-forgotten/confirmed" access="permitAll"/>
> <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
> <security:intercept-url pattern="/**" access="permitAll"/>
> <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /></security:http>
>
>
> Has anyone faced similar issues?
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/25269624/attachment-0001.html
More information about the keycloak-user
mailing list