[keycloak-user] Spring Boot Adapter and SSL Termination Issues

[Brian Watson]

Hey all,

I am having a problem related to the Spring boot adapter and SSL
termination at the load balancer level. I am using Keycloak
2.1.0.Final.

Locally, when not using HTTPS and setting "keycloak.ssl-required =
none", everything, including using google and facebook as identity
providers, works as expected.

However, I am now trying to deploy my demo to AWS. I am terminating
SSL at the ELB level, and that seems to be causing issues. Here is my
full config (with ... added for secrets & such):

----------
server.port = 8080

keycloak.realm = social
keycloak.realmKey = MIIB...
keycloak.auth-server-url = https://sso...
keycloak.ssl-required = all
keycloak.resource = adapter-client
keycloak.token-store = cookie
keycloak.credentials.secret = ...

keycloak.securityConstraints[0].securityCollections[0].name = secure
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /secure/*
----------

The issue I am having seems to be related to terminating SSL at the
ELB level. When tracing though a login request, all requests from the
browser seem proper. However, I get the following error in the demo
app:

----------

2016-11-28 04:44:59.829 ERROR 2531 --- [nio-8080-exec-5]
o.k.adapters.OAuthRequestAuthenticator   : Adapter requires SSL.
Request: http://keycloakdemo.devcloud.applause.com/secure/index.html?state=...
----------

So, it appears that the adapter is expecting an SSL request, but the
ELB is terminating SSL, so the adapter just sees a HTTP request, and
errors out.

Is there a way to configure the adapter to tell it SSL termination is
happening at the load balancer? I know that keycloak itself has such
configuration, but do the adapters?

Thank you,
Brian Watson