[keycloak-user] Keycloak admin-panel. Infinite loop.

Stian Thorgersen sthorger at redhat.com
Fri Feb 3 03:32:37 EST 2017 

Is everything working fine if you go directly to the Keycloak server?
Someone reported a similar issue a few weeks ago and it turned out to be an
issue in the proxy setup. I can't remember the details, but maybe you can
find it on http://www.keycloak.org/search.html

On 2 February 2017 at 18:04, <keijo.korte at kvak.net> wrote:

> Hi,
>
> Setup:
> OS: Centos 6.8
> Keycloak version, 2.5.1-FINAL
> httpd version 2.2.15
>
> I have configured httpd as a SSL off loading reverse proxy for Keycloak
> server. The proxy and the Keycloak are on different servers.
> Basically everything works fine, but I can't log in because I am been
> redirected back to the square one all the time.
>
> Here is the flow:
>
> GET https://idp.xxx.net/auth/admin/
>
> GET
> https://idp.xxx.net/auth/realms/master/protocol/openid-
> connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%
> 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=
> eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-
> ff26-4213-8907-d86febde7b92&response_mode=fragment&
> response_type=code&scope=openid
>
> POST
> https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=
> zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-
> 4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6
>
> GET
> https://idp.xxx.net/auth/admin/master/console/#state=
> eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_
> UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946
>
> GET lots of resources: /config, login-status-iframe.html, /token,
> /messages.json and so on
>
> GET
> https://idp.xxx.net/auth/realms/master/protocol/openid-
> connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%
> 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%
> 3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-
> b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&
> response_mode=fragment&response_type=code&scope=openid
>
> and the same thing from the start. Forever.
>
> httpd configuration for SSL:
>
> *****
> <VirtualHost *:443>
>          ServerName idp.xxx.net
>          ServerAdmin webmaster at xxx.net
>          DocumentRoot /var/www/html/
>          <Directory />
>                  Order deny,allow
>                  Allow from all
>                  Options FollowSymLinks
>                  AllowOverride None
>          </Directory>
>          <Proxy *>
>            Order deny,allow
>            Allow from all
>          </Proxy>
>          ProxyRequests Off
>          RequestHeader set X-Forwarded-Proto "https"
>          RequestHeader set X-Forwarded-Port "443"
>          ProxyPreserveHost on
>          ProxyPass / http://172.16.22.12:8080/ keepalive=On
>          ProxyPassReverse / http://172.16.22.12:8080/
> + lots of cipher suite setting and so on.
> *****
>
> WildFly configuration:
>
> *****
>              <server name="default-server">
>                  <http-listener name="default"
> proxy-address-forwarding="true" socket-binding="http"
> redirect-socket="proxy-https"/>
>                  <host name="default-host" alias="localhost idp.xxx.net">
>                      <location name="/" handler="welcome-content"/>
>                      <filter-ref name="server-header"/>
>                      <filter-ref name="x-powered-by-header"/>
>                  </host>
>              </server>
>
> ....
>
>      <socket-binding-group name="standard-sockets"
> default-interface="any"
> port-offset="${jboss.socket.binding.port-offset:0}">
>          <socket-binding name="management-http" interface="management"
> port="${jboss.management.http.port:9990}"/>
>          <socket-binding name="management-https" interface="management"
> port="${jboss.management.https.port:9993}"/>
>          <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>          <socket-binding name="http" port="${jboss.http.port:8080}"/>
>          <socket-binding name="proxy-https" port="443"/>
>          <socket-binding name="https" port="${jboss.https.port:8443}"/>
>          <socket-binding name="txn-recovery-environment" port="4712"/>
>          <socket-binding name="txn-status-manager" port="4713"/>
>          <outbound-socket-binding name="mail-smtp">
>              <remote-destination host="localhost" port="25"/>
>          </outbound-socket-binding>
>      </socket-binding-group>
>
> *****
>
> Does someone has some kind of clue why I am been redirected?
> First I think that this was some kind of http/https redirect problem,
> but when I enabled requestdumper @ wildfly I can see that everything is
> HTTPS.
>
> *****
>
> ----------------------------REQUEST---------------------------
>                 URI=/
>   characterEncoding=null
>       contentLength=-1
>         contentType=null
>
> header=Accept=text/html,application/xhtml+xml,
> application/xml;q=0.9,*/*;q=0.8
>              header=Accept-Language=en-US,en;q=0.5
>              header=Accept-Encoding=gzip, deflate, br
>              header=X-Forwarded-Server=idp.xxx.net
>              header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X
> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0
>              header=Connection=Keep-Alive
>              header=X-Forwarded-Proto=https
>              header=X-Forwarded-Port=443
>              header=X-Forwarded-For=88.12.13.14
>              header=Upgrade-Insecure-Requests=1
>              header=Host=idp.xxx.net
>              header=X-Forwarded-Host=idp.xxx.net
>              locale=[en_US, en]
>              method=GET
>            protocol=HTTP/1.1
>         queryString=
>          remoteAddr=88.12.13.14:0
>          remoteHost=88.12.13.14
>              scheme=https
>                host=idp.xxx.net
>          serverPort=443
> *****
>
> -Keijo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list