[keycloak-user] Reverse Proxy issue

Henning Waack henning.waack at codecentric.de
Mon Jul 2 03:54:27 EDT 2018 

Hi.

Using KC 4.0.0 behind a Apache httpd proxy with SSL termination, I have the
issue that KC is return redirect URIs with http instead of https.

I have configure KC standalone.xml as follows:

<subsystem xmlns="urn:jboss:domain:undertow:4.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <!--<http-listener name="default" socket-binding="http"
redirect-socket="https-proxy" proxy-address-forwarding="true"
enable-http2="true"/>-->
                <http-listener name="default" socket-binding="http"
redirect-socket="https-proxy" proxy-address-forwarding="true"/>
                <https-listener name="https" socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
                ....
</subsystem>
...
<socket-binding-group name="standard-sockets" default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
       ...
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="https-proxy" port="443"/>
...
</socket-binding-group>

I have enabled the undertow request logging filter, thus seeing that the
X-Forwarded-Proto, -For and Host headers are correctly set, but KC is still
returning the wrong redirect location, using http instead of https:

2018-07-02 09:31:06,785 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) there
was no code
2018-07-02 09:31:06,785 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
redirecting to auth server
2018-07-02 09:31:06,786 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) callback
uri: https://nak.xxx.com/auskunftssystem/sso/login
2018-07-02 09:31:06,791 DEBUG
[org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter]
(default task-2) Auth outcome: NOT_ATTEMPTED
2018-07-02 09:31:06,792 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) Sending
redirect to login page:
http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?response_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fnak.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-9009-513d4793c1d2&login=true&scope=openid
2018-07-02 09:31:06,796 DEBUG
[org.springframework.security.web.context.HttpSessionSecurityContextRepository]
(default task-2) SecurityContext is empty or contents are anonymous -
context will not be stored in HttpSession.
2018-07-02 09:31:06,796 DEBUG
[org.springframework.security.web.context.SecurityContextPersistenceFilter]
(default task-2) SecurityContextHolder now cleared, as request processing
completed
2018-07-02 09:31:06,802 INFO  [io.undertow.request.dump] (default task-2)
----------------------------REQUEST---------------------------
               URI=/auskunftssystem/sso/login
 characterEncoding=null
     contentLength=-1
       contentType=null
            cookie=JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_VP.nak

cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-405a3575a74f

header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            header=Accept-Language=de,en-US;q=0.7,en;q=0.3
            header=Accept-Encoding=gzip, deflate, br
            header=DNT=1
            header=X-Forwarded-Server=nak.xxx.com,
p4FD27CDE.dip0.t-ipconnect.de
            header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13;
rv:60.0) Gecko/20100101 Firefox/60.0
            header=Connection=Keep-Alive
            header=X-Forwarded-Proto=https
            header=X-Forwarded-For=21.32.236.47, 10.10.66.56

header=Cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-405a3575a74f;
JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_VP.nak
            header=Upgrade-Insecure-Requests=1
            header=Host=nak.xxx.com
            header=X-Forwarded-Host=nak.xxx.com, nak.xxx.com
            locale=[de, en_US, en]
            method=GET
          protocol=HTTP/1.1
       queryString=
        remoteAddr=87.167.236.47:0
        remoteHost=87.167.236.47
            scheme=https
              host=nak.xxx.com
        serverPort=0
--------------------------RESPONSE--------------------------
     contentLength=-1
       contentType=null

cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-513d4793c1d2;
domain=null; path=null
            header=Expires=0
            header=Cache-Control=no-cache, no-store, max-age=0,
must-revalidate

header=Set-Cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-513d4793c1d2;
secure; HttpOnly
            header=X-XSS-Protection=1; mode=block
            header=Pragma=no-cache
            header=Location=
http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?response_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fnak.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-9009-513d4793c1d2&login=true&scope=openid
            header=X-Frame-Options=DENY
            header=Date=Mon, 02 Jul 2018 07:31:06 GMT
            header=Connection=keep-alive
            header=X-Content-Type-Options=nosniff
            header=Strict-Transport-Security=max-age=31536000 ;
includeSubDomains
            header=Transfer-Encoding=chunked
            status=302
==============================================================
2018-07-02 09:31:07,643 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-3) new
JtaTransactionWrapper

Any idea why KC is returning http instead of https? Am I still missing some
header?

Thanks & greetings

Henning

More information about the keycloak-user mailing list