[keycloak-user] keycloak + nginx reverse proxy + too many redirects issue
Adrian Matei
adrianmatei at gmail.com
Sat Jan 30 01:13:23 EST 2016
Hey Doug,
Thanks for the info. Did that too, but I am still getting that infamous
invalid *redirect_uri* which contains *http* instead of *https*, though I
set up https everywhere - need to look at it with a fresh mind I guess...
Adrian
On Fri, Jan 29, 2016 at 9:07 AM, Doug Szeto <DSzeto at investlab.com> wrote:
> Ran into your issue, found that securing the channel between nginx and
> keycloak did the trick.
> —Doug
>
> From: <keycloak-user-bounces at lists.jboss.org> on behalf of Adrian Matei <
> adrianmatei at gmail.com>
> Date: Friday, January 29, 2016 at 4:12 AM
> To: Marek Posolda <mposolda at redhat.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many
> redirects issue
>
> Hi Marek,
>
> everything works fine with both fb and google logins via nginx as reverse
> proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I
> get either "Invalid parameter:redirect_uri" (the redirect_uri query
> parameter is generated with *http, not https* in the navigation bar)
> before reaching the login form dialog or the redirect loops (fb login) or Error:
> redirect_uri_mismatch with google login if I manage to get passed that...
> In the realm client configuration I've added both
> https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect
> URIs.
>
> Note: the builtin account application can be accessed correctly both with
> fb and google via https too...
>
> I guess the next step would be to try to secure also the channel between
> nginx and keycloak, but that shouldn't be mandatory right?...
>
> Thanks,
> Adrian
>
> On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Does login through Google works if you don't use nginx proxy? Is there
>> anything in the log?
>>
>> Marek
>>
>>
>> On 28/01/16 13:23, Adrian Matei wrote:
>>
>> Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting
>> the same "This webpage has a redirect loop" message when trying to sign in
>> with Google also...
>>
>> On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I suppose you're using Keycloak 1.7? There is known issue related to
>>> this NoClassDefFoundError . You can workaround it by edit file
>>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml
>>> and add the line:
>>>
>>> <module name="org.keycloak.keycloak-broker-core"/>
>>>
>>> into dependencies section. Same for module
>>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml
>>>
>>> Marek
>>>
>>>
>>>
>>> On 28/01/16 06:47, Adrian Matei wrote:
>>>
>>> Hi everyone,
>>>
>>> I am experimenting "too many redirects"/infinite loops issues in the
>>> browser when I try to connect with social providers. I am also getting
>>> internal server error on Chrome via google account (Caused by:
>>> java.lang.NoClassDefFoundError:
>>> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
>>> configuration, but I did everything "by the book":
>>>
>>> # realm Require SSL:none
>>>
>>> #nginx
>>> http {
>>> gzip on;
>>> gzip_proxied any;
>>> #gzip_proxied no-cache no-store private expired auth;
>>> gzip_types text/plain text/html text/css application/json
>>> application/x-javascript application/xml application/xml+rss
>>> text/javascript application/javascript text/x-js;
>>> #gzip_min_length 1000;
>>>
>>>
>>> server_tokens off; #hides nginx version and OS running on
>>> include /etc/nginx/mime.types;
>>>
>>>
>>> upstream tomcat_server {
>>> server localhost:8080;
>>> }
>>> upstream keycloak_server {
>>> server localhost:8180;
>>> }
>>>
>>> server {
>>> listen 80;
>>> server_name podcastmania.ro;
>>> return 301 <https://$host$request_uri>
>>> https://$host$request_uri;
>>> }
>>>
>>> server {
>>>
>>> listen 443 ssl;
>>>
>>> server_name podcastmania.ro
>>> <http://www.podcastmania.ro>www.podcastmania.ro;
>>>
>>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>> location / {
>>> root /opt/tomcat/webapps/ROOT;
>>> try_files $uri /maintenance.html @tomcat;
>>> }
>>>
>>> location @tomcat {
>>> proxy_pass <http://tomcat_server/>http://tomcat_server;
>>>
>>> proxy_set_header Host $host; #to change the "Host"
>>> header set by default to $proxy_host to $host - the originating host request
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For
>>> $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> }
>>>
>>>
>>> location /auth/ {
>>> root
>>> /opt/keycloak/standalone/configuration/themes/keycloak/;
>>> try_files $uri @keycloak;
>>> }
>>>
>>> location @keycloak {
>>> proxy_pass <http://keycloak_server/>
>>> http://keycloak_server;
>>>
>>> proxy_set_header Host $host;
>>> proxy_set_header X-Real-IP $remote_addr;
>>> proxy_set_header X-Forwarded-For
>>> $proxy_add_x_forwarded_for;
>>> proxy_set_header X-Forwarded-Proto $scheme;
>>> proxy_set_header X-Forwarded-Port 443;
>>> }
>>>
>>>
>>> }
>>>
>>>
>>> # standalone.xml
>>> <subsystem xmlns="urn:jboss:domain:undertow:2.0">
>>> <buffer-cache name="default"/>
>>> <server name="default-server">
>>> <http-listener name="default" socket-binding="http" *redirect-socket="proxy-https"
>>> proxy-address-forwarding="true"*/>
>>> <host name="default-host" alias="localhost">
>>> <location name="/" handler="welcome-content"/>
>>> <filter-ref name="server-header"/>
>>> <filter-ref name="x-powered-by-header"/>
>>> </host>
>>> </server>
>>>
>>> <socket-binding-group name="standard-sockets"
>>> default-interface="public"
>>> port-offset="${jboss.socket.binding.port-offset:100}">
>>> <socket-binding name="management-http" interface="management"
>>> port="${jboss.management.http.port:9990}"/>
>>> <socket-binding name="management-https" interface="management"
>>> port="${jboss.management.https.port:9993}"/>
>>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>> <socket-binding name="http" port="${jboss.http.port:8080}"/>
>>> <socket-binding name="https" port="${jboss.https.port:8443}"/>
>>> <socket-binding name="txn-recovery-environment" port="4712"/>
>>> <socket-binding name="txn-status-manager" port="4713"/>
>>> * <socket-binding name="proxy-https" port="443"/>*
>>> <outbound-socket-binding name="mail-smtp">
>>> <remote-destination host="localhost" port="25"/>
>>> </outbound-socket-binding>
>>> </socket-binding-group>
>>>
>>> # app:spring security configuration
>>>
>>> <context:component-scan base-package="org.keycloak.adapters.springsecurity" /><security:authentication-manager alias="authenticationManager">
>>> <security:authentication-provider ref="keycloakAuthenticationProvider" /></security:authentication-manager><bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
>>> <constructor-arg value="classpath:keycloak.json" /></bean><bean id="keycloakAuthenticationEntryPoint" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" /><bean id="keycloakAuthenticationProvider" class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" /><bean id="keycloakPreAuthActionsFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" /><bean id="keycloakAuthenticationProcessingFilter" class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
>>> <constructor-arg name="authenticationManager" ref="authenticationManager" /></bean><bean id="keycloakLogoutHandler" class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
>>> <constructor-arg ref="adapterDeploymentContext" /></bean><bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
>>> <constructor-arg name="logoutSuccessUrl" value="/" />
>>> <constructor-arg name="handlers">
>>> <list>
>>> <ref bean="keycloakLogoutHandler" />
>>> <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
>>> </list>
>>> </constructor-arg>
>>> <property name="logoutRequestMatcher">
>>> <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
>>> <constructor-arg name="pattern" value="/sso/logout**" />
>>> <constructor-arg name="httpMethod" value="GET" />
>>> </bean>
>>> </property></bean><security:http auto-config="false" use-expressions="true" entry-point-ref="keycloakAuthenticationEntryPoint">
>>> <security:custom-filter ref="keycloakPreAuthActionsFilter" before="LOGOUT_FILTER" />
>>> <security:custom-filter ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
>>> <security:intercept-url pattern="/users/registration" access="permitAll"/>
>>> <security:intercept-url pattern="/users/registration/confirm-email" access="permitAll"/>
>>> <security:intercept-url pattern="/users/registration/confirmed" access="permitAll"/>
>>> <security:intercept-url pattern="/users/password-forgotten" access="permitAll"/>
>>> <security:intercept-url pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
>>> <security:intercept-url pattern="/users/password-forgotten/confirmed" access="permitAll"/>
>>> <security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
>>> <security:intercept-url pattern="/**" access="permitAll"/>
>>> <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /></security:http>
>>>
>>>
>>> Has anyone faced similar issues?
>>>
>>> Thanks,
>>> Adrian
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160130/285a3b7e/attachment-0001.html
More information about the keycloak-user
mailing list