[keycloak-user] HTTP status 400 from Tomcat after successful login

Luis Rodríguez Fernández uo67113 at gmail.com
Mon Dec 10 10:16:30 EST 2018 

Hello Timo,

You have a couple of options:

- Use https in your apache mod_proxy configuration (ProxyPass /app https://...)
This implies to have the SSLProxyEngine on with
the SSLProxyCACertificateFile poiting to your CA certificate See the
mod_ssl docs for more details on this [1] For a PROD installation that
would be my preferred option

- For testing quickly you can always try to cheat keycloak adding
scheme="https" to your HTTP connector in tomcat [2] Me I do this for
cheating the SAML adapter ;) [3]

Hope it helps,

Luis

[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyengine
[2] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
[3]
https://github.com/keycloak/keycloak/blob/79774d2f0730593d504072aaabb1b87d77e3968c/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java#L175



El lun., 10 dic. 2018 a las 12:39, Timo Kockert (<
timo.kockert at codecentric.de>) escribió:

> Hello Luis,
>
> thanks for your reply!
>
> I was able to get a step further... I think.
>
> I added "ProxyPreserveHost On" to the VHost configuration. Now
> Keycloak redirects me to http://my-domain.tld/app (http without s)
> after the login. Something (I haven't figured out wether it's the HTTP
> Server or the Tomcat) redirects from HTTP to HTTPS after which the
> Tomcat returns 403 and prints the following message to the log:
>
> {"error":"invalid_grant","error_description":"Incorrect redirect_uri"}
>
> I guess the problem is the redirect to HTTP instead of HTTPS? I tried
> adding
>
> RequestHeader set X-Forwarded-Proto "https"
>
> to the VHost configuration but that didn't help. Any further advice?
>
> Btw, I didn't write the inital VHost configuration,
> "ProxyPassReverseCookiePath" was there when I started working on it.
> Probably from some template.
>
> Thanks in advance
> Timo
>
>
> Am Mo., 10. Dez. 2018 um 09:42 Uhr schrieb Luis Rodríguez Fernández
> <uo67113 at gmail.com>:
> >
> > Hello Timo,
> >
> > Perhaps enable tomcat access logging [1] can help you to debug this
> issue.
> > You can compare the request with mod_proxy with the one without.
> >
> > Out of curiosity: why do you need to set ProxyPassReverseCookiePath /
> /app/
> > ?
> >
> > Hope it helps,
> >
> > Luis
> >
> > [1]
> >
> https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging
> >
> > El dom., 9 dic. 2018 a las 10:22, Timo Kockert (<
> timo.kockert at codecentric.de>)
> > escribió:
> >
> > > Hello everyone,
> > >
> > > I have configured a web application, that is running in Tomcat, to
> > > authenticate users with Keycloak. Everything is running fine if I
> > > deploy the app to my local Tomcat, even when using the remote Keycloak
> > > instance.
> > >
> > > However, when I deploy the app to another Tomcat running behind an
> > > Apache HTTP Server, the following happens:
> > >
> > > * When I navigate to https://my-domain.tld/app I get redirected to the
> > > Keycloak login
> > > * After I log in successfully, Keycloak redirects me to
> > > <IP>:<PORT>/app of the Tomcat
> > > * The Tomcat answers with HTTP status 400
> > >
> > > My keycloak.json looks like this:
> > >
> > > {
> > >   "realm": "cdb_test",
> > >   "auth-server-url": "https://keycloak-server.tld/auth",
> > >   "ssl-required": "external",
> > >   "resource": "cdb_test",
> > >   "public-client": true
> > > }
> > >
> > > The VHost is configured like this:
> > >
> > > ProxyPass /app http://<IP>:<PORT>/app/
> > > ProxyPassReverse /app http://<IP>:<PORT>/app/
> > > ProxyPassReverseCookiePath / /app/
> > >
> > > I turned on debug logging for the Keycloak Tomcat adapter, see
> attachment.
> > >
> > > Any advice?
> > >
> > > Thanks in advance
> > > Timo
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > --
> >
> > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
> >
> > - Samuel Beckett
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> Timo Kockert | Senior Software Engineer
>
> codecentric AG | dock14 | Am Mittelhafen 14 | 48155 Münster | Deutschland
> mobil: +49 151 1086 7040
> www.codecentric.de | blog.codecentric.de | www.meettheexperts.de |
> www.more4fi.de
>
> Sitz der Gesellschaft: Solingen | HRB 25917| Amtsgericht Wuppertal
> Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz
>
> Diese E-Mail einschließlich evtl. beigefügter Dateien enthält
> vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
> nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
> haben, informieren Sie bitte sofort den Absender und löschen Sie diese
> E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte
> Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die
> unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

More information about the keycloak-user mailing list