[keycloak-user] Redirection issue with proxy behind keycloak

Niels Bertram nielsbne at gmail.com
Mon May 23 20:08:57 EDT 2016 

Hi Artitz,

a great way to figure out what is sent from the reverse proxy to your
keycloak server is to use the undertow request dumper.

>From the jboss-cli just add the request dumper filter to your undertow
configuration like this:

$KC_HOME/bin/jbpss-cli.sh -c

/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)

/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add

/:reload

given your apache config looks something like this:

  ProxyRequests Off
  ProxyPreserveHost On
  ProxyVia On

  ProxyPass /auth ajp://127.0.0.1:8009/auth
  ProxyPassReverse /auth ajp://127.0.0.1:8009/auth


you should see something like that (forwared info is somewhat rubbish in
this example as I am running the hosts on Virtualbox - but you can see this
request was put through 2 proxies from local pc 192.168.33.1 to haproxy on
192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):

==============================================================
23:47:20,563 INFO  [io.undertow.request.dump] (default task-14)
----------------------------REQUEST---------------------------
               URI=/auth/welcome-content/favicon.ico
 characterEncoding=null
     contentLength=-1
       contentType=null
            header=Accept=*/*
            header=Accept-Language=en-US,en;q=0.8,de;q=0.6
            header=Cache-Control=no-cache
            header=Accept-Encoding=gzip, deflate, sdch
            header=DNT=1
            header=Pragma=no-cache
            header=X-Original-To=192.168.33.80
            header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
            header=Authorization=Basic
bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
            header=X-Forwarded-Proto=https
            header=X-Forwarded-Port=443
            header=X-Forwarded-For=192.168.33.1
            header=Referer=https://login.vagrant.dev/auth/
            header=Host=login.vagrant.dev
            locale=[en_US, en, de]
            method=GET
          protocol=HTTP/1.1
       queryString=
        remoteAddr=192.168.33.1:0
        remoteHost=192.168.33.1
            scheme=https
              host=login.vagrant.dev
        serverPort=443
--------------------------RESPONSE--------------------------
     contentLength=627
       contentType=application/octet-stream
            header=Cache-Control=max-age=2592000
            header=X-Powered-By=Undertow/1
            header=Server=WildFly/10


Hope this helps diagnosing your issue. Niels

On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu <amaeztu at tesicnor.com> wrote:

> I'm using keycloak to securize some Spring based services (with the
> keycloak spring security adapter). The adapter creates a `/login` endpoint
> in each of the services which redirects to the keycloak login page and then
> redirects back to the service when authentication is done. I also have a
> proxy service which I want to publish in the 80 port and will take care of
> routing all the requests to each service. The proxy performs a plain
> FORWARD to the service, but the problem comes when I securize the service
> with the keycloak adapter.
>
> When I make a request, the adapter redirects to its login endpoint and
> then to the keycloak auth url. When keycloak sends the redirection, the url
> shown in the browser is the one from the service and not the one from the
> proxy. Do I have some choice to tell the adapter I want to redirect back to
> the first requested url?
>
> --
> Aritz Maeztu Otaño
> Departamento Desarrollo de Software
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/17ac0d8b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/17ac0d8b/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160524/17ac0d8b/attachment-0001.png

More information about the keycloak-user mailing list