[keycloak-user] Keycloak not authorising access to app behind Keycloak security proxy

Guy Bowdler guybowdler at dorsetnetworks.com
Tue Nov 1 14:05:16 EDT 2016 

Hi all, 

I have an app that isn't keycloak aware and have put the keycloak
security proxy in front of it however even with the most basic settings
I cannot succesfully authenticate to the page - it returns a 403 access
denies error and the keycloak proxy outputs this: 

org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: failed to turn code into token
java.net.ConnectException: Connection refused (Connection refused) 

Must admit I'm stumped, I thought with this config, any user with an
account that successfully logs in would get the app.  I'm not using
roles or anything complicated (because I don't understand it yet) and
have been round the houses without success so any advice would be
greatly appreciated! 

thanks, 

Guy 

---------------------------------------------- 

Here's some info about the environment: 

---------------------------------------------- 

Both keycloak and the application are reverse proxied via NGINX, but
this works fine when I change the proxy config from "authenticate":true
to "permit": true.  

DMZ: 

2 X NGINX SERVERS (not clustered) one proxying keycloak and the other
proxyying the application    <-- Proper headers set  

---------------------------------------------- 

TRUST: 

KEYCLOAK SERVER - Wildfly configured with 

_<http-listener name="default" socket-binding="http"
redirect-socket="PROXY-HTTPS" PROXY-ADDRESS-FORWARDING="TRUE"/> _and 

_<socket-binding name="proxy-https" port="443"/>   _ 

APPLICATION SERVER - Keycloak Security Proxy 

1 {
  2     "target-url": "http://1.2.3.4:80",
  3     "bind-address": "5.6.7.8",
  4     "http-port": "80",
  5     "https-port": "443",
  6     "keystore": "/opt/keycloak-proxy/KeyStore.jks",
  7     "keystore-password": "password",
  8     "key-password": "password",
  9     "applications": [
 10         {
 11         "base-path": "/",
 12         "error-page": "/error/denied.html",
 13             "adapter-config": {
 14                 "realm": "realmname",
 15                 "resource": "clientname",
 16                 "realm-public-key": "publickey",
 17                 "auth-server-url":
"https://keycloak.tiberius.local/auth",
 18                 "ssl-required": "external",
 19                 "credentials": {
 20                     "secret": "secret"
 21                 }
 22             }
 23             ,
 24             "constraints": [
 25                 {
 26                     "pattern": "/*",
 27                     "authenticate": "true"
 28                 }
 29             ]
 30
 31         }

More information about the keycloak-user mailing list