[keycloak-user] Severe bug in KC adapter - returns blank 200 when SSL is not used with external setting

Tue May 30 17:51:08 EDT 2017

As far as I know, when Keycloak is running in Docker, "external" means 
anything coming outside of the container, so even if traffic from nginx 
to Keycloak is technicaly local Keycloak does not see it that way.

Google apparently uses SSL even inside their datacenter and I think it 
is a valid use, that is why require ssl=all exists in Keycloak I guess.

The bigger point of mine is that there is a bug somewhere in Keycloak 
adapter that just silently fails and returns empty HTTP 200 which 
doesn't make any sense at all.

The only theory so far that I have is that adapter somehow figures out 
that domain points to Docker host and elects to go the direct IP route 
instead of through nginx.

Amaeztu je 30. 05. 2017 ob 23:40 napisal:
>
> As far as I can see you're configuring SSL in top of your nginx proxy 
> (user can only access keycloak via this proxy).
>
> Your internal calls (from proxy to keycloak) aren't meant to be in 
> SSL, so why you should bother of keycloak requiring it?
>
> Nire Sony Xperia™ telefonotik bidalita
>
>
>
> ---- cen igorleak idatzi du ----
>
> Hello
>
>
> I just managed to replicate this:
> http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
>
> The unfortunate soul did not get a single reply in 2015, hopefully I
> have better luck. I will try to provide as much info as reuested just to
> get to the bottom of this.
>
>
> Setup:
>
> - KC 3.0.0 <tel:3.0.0>-Final behind nginx reverse proxy protected by 
> HTTPS, startup
> config cli:
>
> embed-server --std-out=echo
> batch
> /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
> /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
> /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
> run-batch
> stop-embedded-server
>
> - KC adapter jetty 9.3
>
> - keycloak.json <http://keycloak.json> configured via env vars
>
> - kc and api running in seperate docker containers on same server
>
> {
>    "realm": "${env.KC_REALM}",
>    "auth-server-url": "${env.KC_BASE_URL}",
>    "ssl-required": "${env.KC_SSL_REQUIRED}",
>    "resource": "${env.KC_RESOURCE}",
>    "public-client": true
> }
>
> Docker ENV form my API service:
>
> KC_BASE_URL=https://mykeycloak.domain/auth
> KC_RESOURCE=myapp-api
> KC_REALM=myrealm
> KC_SSL_REQUIRED=external
>
> When I call a protected API this is logged by adapter:
>
> api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
> http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
> api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is
> required to authenticate. Remote address <server ip> is secure: false,
> SSL required for: EXTERNAL .
>
>
> Why does it try to connect via IP and not over https? I clearly
> specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
> tho I call it via https? I also parsed the access token and issuer is
> from https, no trace of any IPs or http anywhere.
>
> And now the worst thing: when this WARN happens, adapter returns blank
> 200! You'd expect at least internal server error or something along the
> lines. . I lost 9 hours today blaming everything from nginx to my REST
> API just to finally come down to this.
>
>
> Setting SSL config to none in admin panel and in adapter env makes the
> whole thing work. But this is clearly not the solution.
>
>
> Hopefully some expert can shed some light on this.
>
>
> Best regards, cen
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user