[keycloak-user] Fwd: Re: Redirection issue with proxy behind keycloak

Stian Thorgersen sthorger at redhat.com
Tue May 31 01:15:08 EDT 2016


Where is your app deployed? If it's on WildFly you can follow the same
steps used to configure reverse proxy for Keycloak Server to configure
WildFly. Check if getRequestURL returns the correct URL in your app.

On 30 May 2016 at 15:08, Aritz Maeztu <amaeztu at tesicnor.com> wrote:

>
>
>
> -------- Birbidalitako mezua --------
> Gaia: Re: [keycloak-user] Redirection issue with proxy behind keycloak
> Data: Mon, 30 May 2016 13:28:21 +0200
> Nork: Aritz Maeztu <amaeztu at tesicnor.com> <amaeztu at tesicnor.com>
> Nori: stian at redhat.com
> CC: Niels Bertram <nielsbne at gmail.com> <nielsbne at gmail.com>,
> keycloak-user <keycloak-user at lists.jboss.org>
> <keycloak-user at lists.jboss.org>, Scott Rossillo <srossillo at smartling.com>
> <srossillo at smartling.com>
>
>
> I've done all the traceability from the proxy server till the login page
> is displayed:
>
> First step, /organization/organizations is requested, so the proxy server
> knows it has to be forwarded to the 8083 port (the one for the organization
> service). That's the first request received by my application's Tomcat:
>
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 START
> TIME        =30-may-2016 13:01:18
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> requestURI=/organizations
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> authType=null
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> characterEncoding=UTF-8
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> contentLength=-1
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> contentType=null
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> contextPath=
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=accept-language=es-ES,es;q=0.8
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=x-forwarded-host=mies-057:8765
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=x-forwarded-prefix=/organization
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=upgrade-insecure-requests=1
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=accept-encoding=gzip
> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=netflix.nfhttpclient.version=1.0
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=x-netflix-httpclientname=organization
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=host=mies-057:8083
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=connection=Keep-Alive
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> locale=es_ES
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> method=GET
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> pathInfo=null
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> protocol=HTTP/1.1
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> queryString=null
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> remoteAddr=192.168.56.1
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> remoteHost=192.168.56.1
> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> remoteUser=null
> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> requestedSessionId=null
> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> scheme=http
> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> serverName=mies-057
> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> serverPort=8083
> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> servletPath=/organizations
> 2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> isSecure=false
> 2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> ------------------=--------------------------------------------
>
> Here x-forwarded-host is mies-057:8765 (the proxy server) and
> x-forwarded-prefix is /organization. So the original request is kept in the
> headers. Well, now my service (8083) tries to check for authorization via
> the /sso/login endpoint from the keycloak spring security adapter:
>
> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
> o.k.a.s.management.HttpSessionManager    : Session created:
> CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
> k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI
> /sso/login
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> ------------------=--------------------------------------------
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> authType=null
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> contentType=null
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=X-Content-Type-Options=nosniff
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=X-XSS-Protection=1; mode=block
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=Pragma=no-cache
> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=Expires=0
> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=X-Frame-Options=DENY
> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752; Path=/;
> HttpOnly
> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> header=Location= <http://mies-057:8083/sso/login>
> http://mies-057:8083/sso/login
> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> remoteUser=null
> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> status=302
> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 END
> TIME          =30-may-2016 13:01:18
> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9
> ===============================================================
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 START
> TIME        =30-may-2016 13:01:18
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> requestURI=/sso/login
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> authType=null
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> characterEncoding=UTF-8
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> contentLength=-1
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> contentType=null
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> contextPath=
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10
> cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             header=host=mies-057:8083
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             header=connection=keep-alive
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10
> header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             header=upgrade-insecure-requests=1
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             header=user-agent=Mozilla/5.0 (Windows NT
> 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
> Safari/537.36
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             header=accept-encoding=gzip, deflate, sdch
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             header=accept-language=es-ES,es;q=0.8
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10
> header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             locale=es_ES
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             method=GET
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> pathInfo=null
> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> protocol=HTTP/1.1
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> queryString=null
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> remoteAddr=192.168.56.1
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> remoteHost=192.168.56.1
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> remoteUser=null
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        :
> http-nio-8083-exec-10             scheme=http
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> serverName=mies-057
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> serverPort=8083
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> servletPath=/sso/login
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> isSecure=false
> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10
> ------------------=--------------------------------------------
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.PreAuthActionsHandler       : adminRequest
> <http://mies-057:8083/sso/login>http://mies-057:8083/sso/login
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
> f.KeycloakAuthenticationProcessingFilter : Request is to process
> authentication
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
> f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak
> authentication
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
> o.k.adapters.RequestAuthenticator        : --> authenticate()
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
> o.k.adapters.RequestAuthenticator        : try bearer
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
> o.k.adapters.RequestAuthenticator        : try oauth
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.a.s.token.SpringSecurityTokenStore   : Checking if
> org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator at d328c2d
> is cached
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator   : there was no code
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator   : redirecting to auth server
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator   : callback uri:
> <http://mies-057:8083/sso/login>http://mies-057:8083/sso/login
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator   : Sending redirect to login page:
> http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true
>
> As it's shown in the logs, the X-forwarded logs are not kept by the
> keycloak adapter (look at the lines below k.a.s.a.KeycloakAuthenticationEntryPoint
> : Redirecting to login URI /sso/login). So could it be the proxy server
> itself being properly configured but the keycloak adapter losing the
> original headers while performing the redirection?
>
> I've also set up the request dumper in the undertow server as Niels
> suggested, but obviously, X-forwarded headers are not reaching the keycloak
> server..
>
> Thanks for your time, again ;-)
>
>
>
> 25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>
> You need the Host and X-Forwarded-For headers to be included and there's
> also some config to be done on the Keycloak server (see
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding
> )
>
> On 24 May 2016 at 08:46, Aritz Maeztu <amaeztu at tesicnor.com> wrote:
>
>> Hi Niels and Scott. First of all, thank you very much for your help. I'm
>> currently using Zuul (Spring Cloud) as the reverse proxy. All the services
>> are registered in a discovery service called Eureka and then Zuul looks for
>> the service id there and performs de redirection. I read about X-Forwarded
>> headers, but I thought it might result in a security issue if not included,
>> not that it could affect the redirection process.
>>
>> As Scott says, I suppose the Host and the X-Real-Ip headers are the
>> relevant ones here, so I guess I should instruct Zuul to send them when the
>> service is addressed (however I wonder why they are not already being sent,
>> as Zuul is a proxy service, all in all).
>> Here I include a preview of the first redirection made to the keycloak
>> login page, which shows the request headers sent to the service /login
>> endpoint (at port 8081 in localhost):
>>
>> https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>>
>> 24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>
>> Hi Artitz,
>>
>> a great way to figure out what is sent from the reverse proxy to your
>> keycloak server is to use the undertow request dumper.
>>
>> From the jboss-cli just add the request dumper filter to your undertow
>> configuration like this:
>>
>> $KC_HOME/bin/jbpss-cli.sh -c
>>
>> /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>> module=io.undertow.core)
>>
>>
>> /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>
>> /:reload
>>
>> given your apache config looks something like this:
>>
>>   ProxyRequests Off
>>   ProxyPreserveHost On
>>   ProxyVia On
>>
>>   ProxyPass /auth ajp://127.0.0.1:8009/auth
>>   ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>>
>>
>> you should see something like that (forwared info is somewhat rubbish in
>> this example as I am running the hosts on Virtualbox - but you can see this
>> request was put through 2 proxies from local pc 192.168.33.1 to haproxy on
>> 192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):
>>
>> ==============================================================
>> 23:47:20,563 INFO  [io.undertow.request.dump] (default task-14)
>> ----------------------------REQUEST---------------------------
>>                URI=/auth/welcome-content/favicon.ico
>>  characterEncoding=null
>>      contentLength=-1
>>        contentType=null
>>             header=Accept=*/*
>>             header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>             header=Cache-Control=no-cache
>>             header=Accept-Encoding=gzip, deflate, sdch
>>             header=DNT=1
>>             header=Pragma=no-cache
>>             header=X-Original-To=192.168.33.80
>>             header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
>>             header=Authorization=Basic
>> bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>             header=X-Forwarded-Proto=https
>>             header=X-Forwarded-Port=443
>>             header=X-Forwarded-For=192.168.33.1
>>             header=Referer= <https://login.vagrant.dev/auth/>
>> https://login.vagrant.dev/auth/
>>             header=Host=login.vagrant.dev
>>             locale=[en_US, en, de]
>>             method=GET
>>           protocol=HTTP/1.1
>>        queryString=
>>         remoteAddr=192.168.33.1:0
>>         remoteHost=192.168.33.1
>>             scheme=https
>>               host=login.vagrant.dev
>>         serverPort=443
>> --------------------------RESPONSE--------------------------
>>      contentLength=627
>>        contentType=application/octet-stream
>>             header=Cache-Control=max-age=2592000
>>             header=X-Powered-By=Undertow/1
>>             header=Server=WildFly/10
>>
>>
>> Hope this helps diagnosing your issue. Niels
>>
>> On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu < <amaeztu at tesicnor.com>
>> amaeztu at tesicnor.com> wrote:
>>
>>> I'm using keycloak to securize some Spring based services (with the
>>> keycloak spring security adapter). The adapter creates a `/login` endpoint
>>> in each of the services which redirects to the keycloak login page and then
>>> redirects back to the service when authentication is done. I also have a
>>> proxy service which I want to publish in the 80 port and will take care of
>>> routing all the requests to each service. The proxy performs a plain
>>> FORWARD to the service, but the problem comes when I securize the service
>>> with the keycloak adapter.
>>>
>>> When I make a request, the adapter redirects to its login endpoint and
>>> then to the keycloak auth url. When keycloak sends the redirection, the url
>>> shown in the browser is the one from the service and not the one from the
>>> proxy. Do I have some choice to tell the adapter I want to redirect back to
>>> the first requested url?
>>>
>>> --
>>> Aritz Maeztu Otaño
>>> Departamento Desarrollo de Software
>>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>> <http://www.tesicnor.com>
>>>
>>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>>> Telf.: 948 21 40 40
>>> Fax.: 948 21 40 41
>>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
>>> medioambiente es cosa de todos.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>> Aritz Maeztu Otaño
>> Departamento Desarrollo de Software
>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>> <http://www.tesicnor.com>
>>
>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>> Telf.: 948 21 40 40
>> Fax.: 948 21 40 41
>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
>> medioambiente es cosa de todos.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Aritz Maeztu Otaño
> Departamento Desarrollo de Software
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/cfbaf2cb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/cfbaf2cb/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/cfbaf2cb/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/cfbaf2cb/attachment-0003.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/cfbaf2cb/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/cfbaf2cb/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/cfbaf2cb/attachment-0005.gif 


More information about the keycloak-user mailing list