[keycloak-user] Not authorsing access to app behind Keycloak security proxy
Stian Thorgersen
sthorger at redhat.com
Mon Nov 7 00:46:50 EST 2016
This looks like the proxy can't reach the Keycloak server for some reason.
Is the auth-server-url correct? Is ssl setup working (maybe try with plain
http just to see if that's the issue).
On 1 November 2016 at 18:49, Guy Bowdler <guybowdler at dorsetnetworks.com>
wrote:
> Hi all,
>
> I have an app that isn't keycloak aware and have put the keycloak
> security proxy in front of it however even with the most basic settings
> I cannot succesfully authenticate to the page - it returns a 403 access
> denies error and the keycloak proxy outputs this:
>
> org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
> ERROR: failed to turn code into token
> java.net.ConnectException: Connection refused (Connection refused)
>
> Must admit I'm stumped, I thought with this config, any user with an
> account that successfully logs in would get the app. I'm not using
> roles or anything complicated (because I don't understand it yet) and
> have been round the houses without success so any advice would be
> greatly appreciated!
>
> thanks,
>
> Guy
>
> ----------------------------------------------
>
> Here's some info about the environment:
>
> ----------------------------------------------
>
> Both keycloak and the application are reverse proxied via NGINX, but
> this works fine when I change the proxy config from "authenticate":true
> to "permit": true.
>
> DMZ:
>
> 2 X NGINX SERVERS (not clustered) one proxying keycloak and the other
> proxyying the application <-- Proper headers set
>
> ----------------------------------------------
>
> TRUST:
>
> KEYCLOAK SERVER - Wildfly configured with
>
> _<http-listener name="default" socket-binding="http"
> redirect-socket="PROXY-HTTPS" PROXY-ADDRESS-FORWARDING="TRUE"/> _and
>
> _<socket-binding name="proxy-https" port="443"/> _
>
> APPLICATION SERVER - Keycloak Security Proxy
>
> 1 {
> 2 "target-url": "http://1.2.3.4:80",
> 3 "bind-address": "5.6.7.8",
> 4 "http-port": "80",
> 5 "https-port": "443",
> 6 "keystore": "/opt/keycloak-proxy/KeyStore.jks",
> 7 "keystore-password": "password",
> 8 "key-password": "password",
> 9 "applications": [
> 10 {
> 11 "base-path": "/",
> 12 "error-page": "/error/denied.html",
> 13 "adapter-config": {
> 14 "realm": "realmname",
> 15 "resource": "clientname",
> 16 "realm-public-key": "publickey",
> 17 "auth-server-url":
> "https://keycloak.tiberius.local/auth",
> 18 "ssl-required": "external",
> 19 "credentials": {
> 20 "secret": "secret"
> 21 }
> 22 }
> 23 ,
> 24 "constraints": [
> 25 {
> 26 "pattern": "/*",
> 27 "authenticate": "true"
> 28 }
> 29 ]
> 30
> 31 }
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list