[keycloak-user] Severe bug in KC adapter - returns blank 200 when SSL is not used with external setting

cen imbacen at gmail.com
Tue May 30 11:37:15 EDT 2017 

Hello


I just managed to replicate this: 
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html

The unfortunate soul did not get a single reply in 2015, hopefully I 
have better luck. I will try to provide as much info as reuested just to 
get to the bottom of this.


Setup:

- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup 
config cli:

embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
run-batch
stop-embedded-server

- KC adapter jetty 9.3

- keycloak.json configured via env vars

- kc and api running in seperate docker containers on same server

{
   "realm": "${env.KC_REALM}",
   "auth-server-url": "${env.KC_BASE_URL}",
   "ssl-required": "${env.KC_SSL_REQUIRED}",
   "resource": "${env.KC_RESOURCE}",
   "public-client": true
}

Docker ENV form my API service:

KC_BASE_URL=https://mykeycloak.domain/auth
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external

When I call a protected API this is logged by adapter:

api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest 
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is 
required to authenticate. Remote address <server ip> is secure: false, 
SSL required for: EXTERNAL .


Why does it try to connect via IP and not over https? I clearly 
specified KC_BASE_URL as HTTPS. And why is REST call logged as http even 
tho I call it via https? I also parsed the access token and issuer is 
from https, no trace of any IPs or http anywhere.

And now the worst thing: when this WARN happens, adapter returns blank 
200! You'd expect at least internal server error or something along the 
lines. . I lost 9 hours today blaming everything from nginx to my REST 
API just to finally come down to this.


Setting SSL config to none in admin panel and in adapter env makes the 
whole thing work. But this is clearly not the solution.


Hopefully some expert can shed some light on this.


Best regards, cen

More information about the keycloak-user mailing list