[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue

Doug Szeto DSzeto at investlab.com
Fri Jan 29 03:07:50 EST 2016


Ran into your issue, found that securing the channel between nginx and keycloak did the trick.
—Doug

From: <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Adrian Matei <adrianmatei at gmail.com<mailto:adrianmatei at gmail.com>>
Date: Friday, January 29, 2016 at 4:12 AM
To: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue

Hi Marek,

everything works fine with both fb and google logins via nginx as reverse proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I get either "Invalid parameter:redirect_uri" (the redirect_uri query parameter is generated with http, not https in the navigation bar) before reaching the login form dialog or the redirect loops (fb login) or Error: redirect_uri_mismatch with google login if I manage to get passed that... In the realm client configuration I've added both https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect URIs.

Note: the builtin account application can be accessed correctly both with fb and google via https too...

I guess the next step would be to try to secure also the channel between nginx and keycloak, but that shouldn't be mandatory right?...

Thanks,
Adrian

On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:
Does login through Google works if you don't use nginx proxy? Is there anything in the log?

Marek


On 28/01/16 13:23, Adrian Matei wrote:
Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the same "This webpage has a redirect loop" message when trying to sign in with Google also...

On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:
I suppose you're using Keycloak 1.7? There is known issue related to this NoClassDefFoundError . You can workaround it by edit file $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml and add the line:

<module name="org.keycloak.keycloak-broker-core"/>

into dependencies section. Same for module $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml

Marek



On 28/01/16 06:47, Adrian Matei wrote:
Hi everyone,

I am experimenting "too many redirects"/infinite loops issues in the browser when I try to connect with social providers. I am also getting internal server error on Chrome via google account (Caused by: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext). It might be my configuration, but I did everything "by the book":

# realm Require SSL:none

#nginx
http {
        gzip on;
        gzip_proxied any;
        #gzip_proxied no-cache no-store private expired auth;
        gzip_types text/plain text/html text/css application/json application/x-javascript  application/xml application/xml+rss text/javascript application/javascript text/x-js;
        #gzip_min_length 1000;


        server_tokens off; #hides nginx version and OS running on
        include /etc/nginx/mime.types;


        upstream tomcat_server {
                server localhost:8080;
        }
        upstream keycloak_server {
                server localhost:8180;
        }

        server {
                listen 80;
                server_name podcastmania.ro<http://podcastmania.ro/>;
                return 301 <https://$host$request_uri> https://$host$request_uri;
        }

        server {

                listen 443 ssl;

                server_name podcastmania.ro<http://podcastmania.ro/> <http://www.podcastmania.ro> www.podcastmania.ro<http://www.podcastmania.ro>;

           ssl_certificate /etc/nginx/ssl/nginx.crt;
           ssl_certificate_key /etc/nginx/ssl/nginx.key;
         location / {
                root /opt/tomcat/webapps/ROOT;
                try_files $uri /maintenance.html @tomcat;
            }

            location @tomcat {
                proxy_pass <http://tomcat_server/> http://tomcat_server;

                proxy_set_header Host $host; #to change the "Host" header set by default to $proxy_host to $host - the originating host request
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
            }


            location /auth/ {
                root   /opt/keycloak/standalone/configuration/themes/keycloak/;
                try_files $uri @keycloak;
            }

             location @keycloak {
                proxy_pass <http://keycloak_server/> http://keycloak_server;

                proxy_set_header Host               $host;
                proxy_set_header X-Real-IP          $remote_addr;
                proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
                proxy_set_header X-Forwarded-Port   443;
            }


        }


# standalone.xml
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="proxy-https"  proxy-address-forwarding="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                </host>
            </server>

    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <socket-binding name="proxy-https" port="443"/>
         <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>

# app:spring security configuration

<context:component-scan base-package="org.keycloak.adapters.springsecurity" /><security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="keycloakAuthenticationProvider" /></security:authentication-manager><bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
  <constructor-arg value="classpath:keycloak.json" /></bean><bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" /><bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" /><bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" /><bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
  <constructor-arg name="authenticationManager" ref="authenticationManager" /></bean><bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
  <constructor-arg ref="adapterDeploymentContext" /></bean><bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
  <constructor-arg name="logoutSuccessUrl" value="/" />
  <constructor-arg name="handlers">
    <list>
      <ref bean="keycloakLogoutHandler" />
      <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    </list>
  </constructor-arg>
  <property name="logoutRequestMatcher">
    <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
      <constructor-arg name="pattern" value="/sso/logout**" />
      <constructor-arg name="httpMethod" value="GET" />
    </bean>
  </property></bean><security:http auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint">
  <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
  <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
  <security:intercept-url pattern="/users/registration" access="permitAll"/>
  <security:intercept-url pattern="/users/registration/confirm-email" access="permitAll"/>
  <security:intercept-url pattern="/users/registration/confirmed" access="permitAll"/>
  <security:intercept-url pattern="/users/password-forgotten" access="permitAll"/>
  <security:intercept-url pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
  <security:intercept-url pattern="/users/password-forgotten/confirmed" access="permitAll"/>
  <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
  <security:intercept-url pattern="/**" access="permitAll"/>
  <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /></security:http>

Has anyone faced similar issues?

Thanks,
Adrian



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/375f160b/attachment-0001.html 


More information about the keycloak-user mailing list