[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue

Adrian Matei adrianmatei at gmail.com
Thu Jan 28 15:12:10 EST 2016


Hi Marek,

everything works fine with both fb and google logins via nginx as reverse
proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I
get either "Invalid parameter:redirect_uri" (the redirect_uri query
parameter is generated with *http, not https* in the navigation bar) before
reaching the login form dialog or the redirect loops (fb login) or Error:
redirect_uri_mismatch with google login if I manage to get passed that...
In the realm client configuration I've added both https://podcastmania.ro/*
and http://podcastmania.ro/* as valid redirect URIs.

Note: the builtin account application can be accessed correctly both with
fb and google via https too...

I guess the next step would be to try to secure also the channel between
nginx and keycloak, but that shouldn't be mandatory right?...

Thanks,
Adrian

On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Does login through Google works if you don't use nginx proxy? Is there
> anything in the log?
>
> Marek
>
>
> On 28/01/16 13:23, Adrian Matei wrote:
>
> Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting
> the same "This webpage has a redirect loop" message when trying to sign in
> with Google also...
>
> On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I suppose you're using Keycloak 1.7? There is known issue related to this
>> NoClassDefFoundError . You can workaround it by edit file
>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
>> and add the line:
>>
>> <module name="org.keycloak.keycloak-broker-core"/>
>>
>> into dependencies section. Same for module
>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
>>
>> Marek
>>
>>
>>
>> On 28/01/16 06:47, Adrian Matei wrote:
>>
>> Hi everyone,
>>
>> I am experimenting "too many redirects"/infinite loops issues in the
>> browser when I try to connect with social providers. I am also getting
>> internal server error on Chrome via google account (Caused by:
>> java.lang.NoClassDefFoundError:
>> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
>> configuration, but I did everything "by the book":
>>
>> # realm Require SSL:none
>>
>> #nginx
>> http {
>>         gzip on;
>>         gzip_proxied any;
>>         #gzip_proxied no-cache no-store private expired auth;
>>         gzip_types text/plain text/html text/css application/json
>> application/x-javascript  application/xml application/xml+rss
>> text/javascript application/javascript text/x-js;
>>         #gzip_min_length 1000;
>>
>>
>>         server_tokens off; #hides nginx version and OS running on
>>         include /etc/nginx/mime.types;
>>
>>
>>         upstream tomcat_server {
>>                 server localhost:8080;
>>         }
>>         upstream keycloak_server {
>>                 server localhost:8180;
>>         }
>>
>>         server {
>>                 listen 80;
>>                 server_name podcastmania.ro;
>>                 return 301 <https://$host$request_uri>
>> https://$host$request_uri;
>>         }
>>
>>         server {
>>
>>                 listen 443 ssl;
>>
>>                 server_name podcastmania.ro  <http://www.podcastmania.ro>
>> www.podcastmania.ro;
>>
>>            ssl_certificate /etc/nginx/ssl/nginx.crt;
>>            ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>          location / {
>>                 root /opt/tomcat/webapps/ROOT;
>>                 try_files $uri /maintenance.html @tomcat;
>>             }
>>
>>             location @tomcat {
>>                 proxy_pass  <http://tomcat_server/>http://tomcat_server;
>>
>>                 proxy_set_header Host $host; #to change the "Host" header
>> set by default to $proxy_host to $host - the originating host request
>>                 proxy_set_header X-Real-IP          $remote_addr;
>>                 proxy_set_header X-Forwarded-For
>>  $proxy_add_x_forwarded_for;
>>                 proxy_set_header X-Forwarded-Proto  $scheme;
>>             }
>>
>>
>>             location /auth/ {
>>                 root
>> /opt/keycloak/standalone/configuration/themes/keycloak/;
>>                 try_files $uri @keycloak;
>>             }
>>
>>              location @keycloak {
>>                 proxy_pass  <http://keycloak_server/>
>> http://keycloak_server;
>>
>>                 proxy_set_header Host               $host;
>>                 proxy_set_header X-Real-IP          $remote_addr;
>>                 proxy_set_header X-Forwarded-For
>>  $proxy_add_x_forwarded_for;
>>                 proxy_set_header X-Forwarded-Proto  $scheme;
>>                 proxy_set_header X-Forwarded-Port   443;
>>             }
>>
>>
>>         }
>>
>>
>> # standalone.xml
>>         <subsystem xmlns="urn:jboss:domain:undertow:2.0">
>>             <buffer-cache name="default"/>
>>             <server name="default-server">
>>                 <http-listener name="default" socket-binding="http" *redirect-socket="proxy-https"
>>  proxy-address-forwarding="true"*/>
>>                 <host name="default-host" alias="localhost">
>>                     <location name="/" handler="welcome-content"/>
>>                     <filter-ref name="server-header"/>
>>                     <filter-ref name="x-powered-by-header"/>
>>                 </host>
>>             </server>
>>
>>     <socket-binding-group name="standard-sockets"
>> default-interface="public"
>> port-offset="${jboss.socket.binding.port-offset:100}">
>>         <socket-binding name="management-http" interface="management"
>> port="${jboss.management.http.port:9990}"/>
>>         <socket-binding name="management-https" interface="management"
>> port="${jboss.management.https.port:9993}"/>
>>         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>         <socket-binding name="http" port="${jboss.http.port:8080}"/>
>>         <socket-binding name="https" port="${jboss.https.port:8443}"/>
>>         <socket-binding name="txn-recovery-environment" port="4712"/>
>>         <socket-binding name="txn-status-manager" port="4713"/>
>> *        <socket-binding name="proxy-https" port="443"/>*
>>          <outbound-socket-binding name="mail-smtp">
>>             <remote-destination host="localhost" port="25"/>
>>         </outbound-socket-binding>
>>     </socket-binding-group>
>>
>> # app:spring security configuration
>>
>> <context:component-scan base-package="org.keycloak.adapters.springsecurity" />
>> <security:authentication-manager alias="authenticationManager">
>>   <security:authentication-provider ref="keycloakAuthenticationProvider" /></security:authentication-manager>
>> <bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
>>   <constructor-arg value="classpath:keycloak.json" /></bean><bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" /><bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" /><bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" /><bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
>>   <constructor-arg name="authenticationManager" ref="authenticationManager" /></bean>
>> <bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
>>   <constructor-arg ref="adapterDeploymentContext" /></bean>
>> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
>>   <constructor-arg name="logoutSuccessUrl" value="/" />
>>   <constructor-arg name="handlers">
>>     <list>
>>       <ref bean="keycloakLogoutHandler" />
>>       <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
>>     </list>
>>   </constructor-arg>
>>   <property name="logoutRequestMatcher">
>>     <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
>>       <constructor-arg name="pattern" value="/sso/logout**" />
>>       <constructor-arg name="httpMethod" value="GET" />
>>     </bean>
>>   </property></bean>
>> <security:http auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint">
>>   <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
>>   <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
>>   <security:intercept-url pattern="/users/registration" access="permitAll"/>
>>   <security:intercept-url pattern="/users/registration/confirm-email" access="permitAll"/>
>>   <security:intercept-url pattern="/users/registration/confirmed" access="permitAll"/>
>>   <security:intercept-url pattern="/users/password-forgotten" access="permitAll"/>
>>   <security:intercept-url pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
>>   <security:intercept-url pattern="/users/password-forgotten/confirmed" access="permitAll"/>
>>   <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
>>   <security:intercept-url pattern="/**" access="permitAll"/>
>>   <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /></security:http>
>>
>>
>> Has anyone faced similar issues?
>>
>> Thanks,
>> Adrian
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/bdf4647b/attachment-0001.html 


More information about the keycloak-user mailing list