[keycloak-user] Keycloak admin-panel. Infinite loop.

Rafael T. C. Soares rsoares at redhat.com
Fri Feb 3 05:47:44 EST 2017


Are your keycloak server instances (backend) clustered? If yes confirm 
if they are replicating/communicating correctly (jgroups/infinispan). 
Turn on the wildfly's TRACE logs for Infinipan/jgroups....

Keycloak does not depends on sticky-sessions, so your reverse-proxy will 
loadbalance your auth requests randomly between your keycloak servers. 
Your keycloak cluster need to share/replicate auth sessions (the 
internal Infinispan component in wildfly do that work, if well configured!).

Also, look for a thread in this maillist history with a subject 
"/Keycloak 2.2.1 and Apache + mod_cluster/"

___
Rafael T. C. Soares

Em 03-02-2017 06:04, keijo.korte at kvak.net escreveu:
> Hi,
>
> Yes the problem is definitely on the proxy setup, but what is the
> problem?
> I am not so familiar with the jboss/wildfly (tomcat is usually my weapon
> of choice). So I am not sure what I am missing.
>
> And yes, if I create ssh tunnel to the KC server I can login and
> everything is working just like I expected.
>
> I tried the search before I posted the question, because I didn't find
> the answer.
>
> If the httpd and KC are on same server everything works. That was my
> previous setup, but now I want to dedicate one server just for reverse
> proxy role.
>
> -Keijo
>
> On 2017-02-03 10:32, Stian Thorgersen wrote:
>> Is everything working fine if you go directly to the Keycloak server?
>> Someone reported a similar issue a few weeks ago and it turned out to
>> be an issue in the proxy setup. I can't remember the details, but
>> maybe you can find it on http://www.keycloak.org/search.html
>>
>> On 2 February 2017 at 18:04, <keijo.korte at kvak.net> wrote:
>>
>>> Hi,
>>>
>>> Setup:
>>> OS: Centos 6.8
>>> Keycloak version, 2.5.1-FINAL
>>> httpd version 2.2.15
>>>
>>> I have configured httpd as a SSL off loading reverse proxy for
>>> Keycloak
>>> server. The proxy and the Keycloak are on different servers.
>>> Basically everything works fine, but I can't log in because I am
>>> been
>>> redirected back to the square one all the time.
>>>
>>> Here is the flow:
>>>
>>> GET https://idp.xxx.net/auth/admin/ [1]
>>>
>>> GET
>>>
>> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_mode=fragment&response_type=code&scope=openid
>>> [2]
>>>
>>> POST
>>>
>> https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6
>>> [3]
>>>
>>> GET
>>>
>> https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946
>>> [4]
>>>
>>> GET lots of resources: /config, login-status-iframe.html, /token,
>>> /messages.json and so on
>>>
>>> GET
>>>
>> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&response_mode=fragment&response_type=code&scope=openid
>>> [5]
>>>
>>> and the same thing from the start. Forever.
>>>
>>> httpd configuration for SSL:
>>>
>>> *****
>>> <VirtualHost *:443>
>>> ServerName idp.xxx.net [6]
>>> ServerAdmin webmaster at xxx.net
>>> DocumentRoot /var/www/html/
>>> <Directory />
>>> Order deny,allow
>>> Allow from all
>>> Options FollowSymLinks
>>> AllowOverride None
>>> </Directory>
>>> <Proxy *>
>>> Order deny,allow
>>> Allow from all
>>> </Proxy>
>>> ProxyRequests Off
>>> RequestHeader set X-Forwarded-Proto "https"
>>> RequestHeader set X-Forwarded-Port "443"
>>> ProxyPreserveHost on
>>> ProxyPass / http://172.16.22.12:8080/ keepalive=On
>>> ProxyPassReverse / http://172.16.22.12:8080/
>>> + lots of cipher suite setting and so on.
>>> *****
>>>
>>> WildFly configuration:
>>>
>>> *****
>>> <server name="default-server">
>>> <http-listener name="default"
>>> proxy-address-forwarding="true" socket-binding="http"
>>> redirect-socket="proxy-https"/>
>>> <host name="default-host" alias="localhost
>>> idp.xxx.net [6]">
>>> <location name="/" handler="welcome-content"/>
>>> <filter-ref name="server-header"/>
>>> <filter-ref name="x-powered-by-header"/>
>>> </host>
>>> </server>
>>>
>>> ....
>>>
>>> <socket-binding-group name="standard-sockets"
>>> default-interface="any"
>>> port-offset="${jboss.socket.binding.port-offset:0}">
>>> <socket-binding name="management-http"
>>> interface="management"
>>> port="${jboss.management.http.port:9990}"/>
>>> <socket-binding name="management-https"
>>> interface="management"
>>> port="${jboss.management.https.port:9993}"/>
>>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
>>> <socket-binding name="http"
>>> port="${jboss.http.port:8080}"/>
>>> <socket-binding name="proxy-https" port="443"/>
>>> <socket-binding name="https"
>>> port="${jboss.https.port:8443}"/>
>>> <socket-binding name="txn-recovery-environment"
>>> port="4712"/>
>>> <socket-binding name="txn-status-manager" port="4713"/>
>>> <outbound-socket-binding name="mail-smtp">
>>> <remote-destination host="localhost" port="25"/>
>>> </outbound-socket-binding>
>>> </socket-binding-group>
>>>
>>> *****
>>>
>>> Does someone has some kind of clue why I am been redirected?
>>> First I think that this was some kind of http/https redirect
>>> problem,
>>> but when I enabled requestdumper @ wildfly I can see that everything
>>> is
>>> HTTPS.
>>>
>>> *****
>>>
>>> ----------------------------REQUEST---------------------------
>>> URI=/
>>> characterEncoding=null
>>> contentLength=-1
>>> contentType=null
>>>
>>>
>> header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> header=Accept-Language=en-US,en;q=0.5
>>> header=Accept-Encoding=gzip, deflate, br
>>> header=X-Forwarded-Server=idp.xxx.net [6]
>>> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS
>>> X
>>> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0
>>> header=Connection=Keep-Alive
>>> header=X-Forwarded-Proto=https
>>> header=X-Forwarded-Port=443
>>> header=X-Forwarded-For=88.12.13.14
>>> header=Upgrade-Insecure-Requests=1
>>> header=Host=idp.xxx.net [6]
>>> header=X-Forwarded-Host=idp.xxx.net [6]
>>> locale=[en_US, en]
>>> method=GET
>>> protocol=HTTP/1.1
>>> queryString=
>>> remoteAddr=88.12.13.14:0 [7]
>>> remoteHost=88.12.13.14
>>> scheme=https
>>> host=idp.xxx.net [6]
>>> serverPort=443
>>> *****
>>>
>>> -Keijo
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user [8]
>>
>>
>> Links:
>> ------
>> [1] https://idp.xxx.net/auth/admin/
>> [2]
>> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&amp;redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&amp;state=eeb29809-a4aa-458b-8530-645729ce42e5&amp;nonce=fe92d57a-ff26-4213-8907-d86febde7b92&amp;response_mode=fragment&amp;response_type=code&amp;scope=openid
>> [3]
>> https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&amp;execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6
>> [4]
>> https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&amp;code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946
>> [5]
>> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&amp;redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&amp;state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&amp;nonce=4284a896-6694-4af8-9c91-71e4050455a2&amp;response_mode=fragment&amp;response_type=code&amp;scope=openid
>> [6] http://idp.xxx.net
>> [7] http://88.12.13.14:0
>> [8] https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list