[keycloak-user] Fwd: Re: Redirection issue with proxy behind keycloak
Aritz Maeztu
amaeztu at tesicnor.com
Tue May 31 03:13:12 EDT 2016
I've got some Spring Boot application instances with embeded Tomcat
servlet containers. Tomcat has a similar system to Wildfly for request
dumpering, that's what I have enabled for getting the trace below. In
short words that's the behaviour I'm able to see:
1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service (8083
port) : A forward request where X-forwarded headers are included
2. Organization Service (localhost:8083) : Looks for a token and if it's
not available, the keycloak adapter redirects to the /sso/login of the
same service (Here the traceability from the proxy gets losts)
3. localhost:8083/sso/login: Redirects to the keycloak wildfly server,
saving the requested url
4. Keycloak login: The user performs the authentication and the
redirectUri is localhost:8083/sso/login. Later on, the login endpoint
redirects the user to the url requested in point 2, not the first one
from the proxy.
I only have this problem when my organization service needs to verify
the token (or a token doesn't exist) using the keycloak adapter. When
the /sso/login endpoint is not requested, everything is working
properly. Hope I've explained it well!
31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
> Where is your app deployed? If it's on WildFly you can follow the same
> steps used to configure reverse proxy for Keycloak Server to configure
> WildFly. Check if getRequestURL returns the correct URL in your app.
>
> On 30 May 2016 at 15:08, Aritz Maeztu <amaeztu at tesicnor.com
> <mailto:amaeztu at tesicnor.com>> wrote:
>
>
>
>
> -------- Birbidalitako mezua --------
> Gaia: Re: [keycloak-user] Redirection issue with proxy behind
> keycloak
> Data: Mon, 30 May 2016 13:28:21 +0200
> Nork: Aritz Maeztu <amaeztu at tesicnor.com>
> <mailto:amaeztu at tesicnor.com>
> Nori: stian at redhat.com <mailto:stian at redhat.com>
> CC: Niels Bertram <nielsbne at gmail.com>
> <mailto:nielsbne at gmail.com>, keycloak-user
> <keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.jboss.org>, Scott Rossillo
> <srossillo at smartling.com> <mailto:srossillo at smartling.com>
>
>
>
> I've done all the traceability from the proxy server till the
> login page is displayed:
>
> First step, /organization/organizations is requested, so the proxy
> server knows it has to be forwarded to the 8083 port (the one for
> the organization service). That's the first request received by my
> application's Tomcat:
>
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> START TIME =30-may-2016 13:01:18
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> requestURI=/organizations
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 authType=null
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> characterEncoding=UTF-8
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 contentLength=-1
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 contentType=null
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 contextPath=
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=accept-language=es-ES,es;q=0.8
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=x-forwarded-host=mies-057:8765
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=x-forwarded-prefix=/organization
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=upgrade-insecure-requests=1
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=accept-encoding=gzip
> 2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
> Safari/537.36
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=netflix.nfhttpclient.version=1.0
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=x-netflix-httpclientname=organization
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=host=mies-057:8083
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=connection=Keep-Alive
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 locale=es_ES
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 method=GET
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 pathInfo=null
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 protocol=HTTP/1.1
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 queryString=null
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> remoteAddr=192.168.56.1
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> remoteHost=192.168.56.1
> 2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 remoteUser=null
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> requestedSessionId=null
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 scheme=http
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 serverName=mies-057
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 serverPort=8083
> 2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> servletPath=/organizations
> 2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 isSecure=false
> 2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> ------------------=--------------------------------------------
>
> Here x-forwarded-host is mies-057:8765 (the proxy server) and
> x-forwarded-prefix is /organization. So the original request is
> kept in the headers. Well, now my service (8083) tries to check
> for authorization via the /sso/login endpoint from the keycloak
> spring security adapter:
>
> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
> o.k.a.s.management.HttpSessionManager : Session created:
> CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
> k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login
> URI /sso/login
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> ------------------=--------------------------------------------
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 authType=null
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 contentType=null
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=X-Content-Type-Options=nosniff
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=X-XSS-Protection=1; mode=block
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=Pragma=no-cache
> 2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=Expires=0
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=X-Frame-Options=DENY
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
> Path=/; HttpOnly
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> header=Location=http://mies-057:8083/sso/login
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 remoteUser=null
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-9 status=302
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> END TIME =30-may-2016 13:01:18
> 2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
> ===============================================================
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> START TIME =30-may-2016 13:01:18
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> requestURI=/sso/login
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 authType=null
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> characterEncoding=UTF-8
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 contentLength=-1
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 contentType=null
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 contextPath=
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=host=mies-057:8083
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=connection=keep-alive
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=upgrade-insecure-requests=1
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
> Safari/537.36
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=accept-encoding=gzip, deflate, sdch
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=accept-language=es-ES,es;q=0.8
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 locale=es_ES
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 method=GET
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 pathInfo=null
> 2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> protocol=HTTP/1.1
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 queryString=null
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> remoteAddr=192.168.56.1
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> remoteHost=192.168.56.1
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 remoteUser=null
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 scheme=http
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> serverName=mies-057
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 serverPort=8083
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> servletPath=/sso/login
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter :
> http-nio-8083-exec-10 isSecure=false
> 2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
> o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
> ------------------=--------------------------------------------
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.PreAuthActionsHandler : adminRequest
> http://mies-057:8083/sso/login
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
> f.KeycloakAuthenticationProcessingFilter : Request is to process
> authentication
> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
> f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak
> authentication
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
> o.k.adapters.RequestAuthenticator : --> authenticate()
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
> o.k.adapters.RequestAuthenticator : try bearer
> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
> o.k.adapters.RequestAuthenticator : try oauth
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.a.s.token.SpringSecurityTokenStore : Checking if
> org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator at d328c2d
> is cached
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator : there was no code
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator : redirecting to auth server
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator : callback uri:
> http://mies-057:8083/sso/login
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
> o.k.adapters.OAuthRequestAuthenticator : Sending redirect to
> login page:
> http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true
>
> As it's shown in the logs, the X-forwarded logs are not kept by
> the keycloak adapter (look at the lines below
> k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login
> URI /sso/login). So could it be the proxy server itself being
> properly configured but the keycloak adapter losing the original
> headers while performing the redirection?
>
> I've also set up the request dumper in the undertow server as
> Niels suggested, but obviously, X-forwarded headers are not
> reaching the keycloak server..
>
> Thanks for your time, again ;-)
>
>
>
> 25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>> You need the Host and X-Forwarded-For headers to be included and
>> there's also some config to be done on the Keycloak server (see
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding)
>>
>> On 24 May 2016 at 08:46, Aritz Maeztu <amaeztu at tesicnor.com
>> <mailto:amaeztu at tesicnor.com>> wrote:
>>
>> Hi Niels and Scott. First of all, thank you very much for
>> your help. I'm currently using Zuul (Spring Cloud) as the
>> reverse proxy. All the services are registered in a discovery
>> service called Eureka and then Zuul looks for the service id
>> there and performs de redirection. I read about X-Forwarded
>> headers, but I thought it might result in a security issue if
>> not included, not that it could affect the redirection process.
>>
>> As Scott says, I suppose the Host and the X-Real-Ip headers
>> are the relevant ones here, so I guess I should instruct Zuul
>> to send them when the service is addressed (however I wonder
>> why they are not already being sent, as Zuul is a proxy
>> service, all in all).
>>
>> Here I include a preview of the first redirection made to the
>> keycloak login page, which shows the request headers sent to
>> the service /login endpoint (at port 8081 in localhost):
>>
>> https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>>
>> 24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>> Hi Artitz,
>>>
>>> a great way to figure out what is sent from the reverse
>>> proxy to your keycloak server is to use the undertow request
>>> dumper.
>>>
>>> From the jboss-cli just add the request dumper filter to
>>> your undertow configuration like this:
>>>
>>> $KC_HOME/bin/jbpss-cli.sh -c
>>>
>>> /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>>> module=io.undertow.core)
>>>
>>> /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>>
>>> /:reload
>>>
>>> given your apache config looks something like this:
>>>
>>> ProxyRequests Off
>>> ProxyPreserveHost On
>>> ProxyVia On
>>>
>>> ProxyPass /auth ajp://127.0.0.1:8009/auth
>>> <http://127.0.0.1:8009/auth>
>>> ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>>> <http://127.0.0.1:8009/auth>
>>>
>>>
>>> you should see something like that (forwared info is
>>> somewhat rubbish in this example as I am running the hosts
>>> on Virtualbox - but you can see this request was put through
>>> 2 proxies from local pc 192.168.33.1 to haproxy on
>>> 192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):
>>>
>>> ==============================================================
>>> 23:47:20,563 INFO [io.undertow.request.dump] (default task-14)
>>> ----------------------------REQUEST---------------------------
>>> URI=/auth/welcome-content/favicon.ico
>>> characterEncoding=null
>>> contentLength=-1
>>> contentType=null
>>> header=Accept=*/*
>>> header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>> header=Cache-Control=no-cache
>>> header=Accept-Encoding=gzip, deflate, sdch
>>> header=DNT=1
>>> header=Pragma=no-cache
>>> header=X-Original-To=192.168.33.80
>>> header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
>>> Safari/537.36
>>> header=Authorization=Basic
>>> bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>> header=X-Forwarded-Proto=https
>>> header=X-Forwarded-Port=443
>>> header=X-Forwarded-For=192.168.33.1
>>> header=Referer=https://login.vagrant.dev/auth/
>>> header=Host=login.vagrant.dev
>>> locale=[en_US, en, de]
>>> method=GET
>>> protocol=HTTP/1.1
>>> queryString=
>>> remoteAddr=192.168.33.1:0 <http://192.168.33.1:0>
>>> remoteHost=192.168.33.1
>>> scheme=https
>>> host=login.vagrant.dev
>>> serverPort=443
>>> --------------------------RESPONSE--------------------------
>>> contentLength=627
>>> contentType=application/octet-stream
>>> header=Cache-Control=max-age=2592000
>>> header=X-Powered-By=Undertow/1
>>> header=Server=WildFly/10
>>>
>>>
>>> Hope this helps diagnosing your issue. Niels
>>>
>>> On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu
>>> <amaeztu at tesicnor.com <mailto:amaeztu at tesicnor.com>> wrote:
>>>
>>> I'm using keycloak to securize some Spring based
>>> services (with the keycloak spring security adapter).
>>> The adapter creates a `/login` endpoint in each of the
>>> services which redirects to the keycloak login page and
>>> then redirects back to the service when authentication
>>> is done. I also have a proxy service which I want to
>>> publish in the 80 port and will take care of routing all
>>> the requests to each service. The proxy performs a plain
>>> FORWARD to the service, but the problem comes when I
>>> securize the service with the keycloak adapter.
>>>
>>> When I make a request, the adapter redirects to its
>>> login endpoint and then to the keycloak auth url. When
>>> keycloak sends the redirection, the url shown in the
>>> browser is the one from the service and not the one from
>>> the proxy. Do I have some choice to tell the adapter I
>>> want to redirect back to the first requested url?
>>>
>>>
>>> --
>>> Aritz Maeztu Otaño
>>> Departamento Desarrollo de Software
>>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>
>>> <http://www.tesicnor.com>
>>>
>>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain
>>> (Navarra)
>>> Telf.: 948 21 40 40
>>> Fax.: 948 21 40 41
>>>
>>> Antes de imprimir este e-mail piense bien si es
>>> necesario hacerlo: El medioambiente es cosa de todos.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>> --
>> Aritz Maeztu Otaño
>> Departamento Desarrollo de Software
>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>> <http://www.tesicnor.com>
>>
>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>> Telf.: 948 21 40 40
>> Fax.: 948 21 40 41
>>
>> Antes de imprimir este e-mail piense bien si es necesario
>> hacerlo: El medioambiente es cosa de todos.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> Aritz Maeztu Otaño
> Departamento Desarrollo de Software
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo:
> El medioambiente es cosa de todos.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0004.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0004.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0005.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0005.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0006.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0006.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0007.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160531/2cadf2a5/attachment-0007.png
More information about the keycloak-user
mailing list