[keycloak-user] Could not obtain grant code: 401:Unauthorized on access to protected url behind reverse proxy

Sun Oct 7 11:00:56 EDT 2018

Hi, would be happy if you can help me.

I'm trying to access protected by Keycloak url - */hello* in the browser.
The url is served by the node.js app This error is thrown by the following
code
<https://github.com/keycloak/keycloak-nodejs-connect/blob/54815e742a931fe6f750a4a024c37ccc4d4fdc43/middleware/post-auth.js#L53>
:

after the following sequence of actions:

1) adding client and user to keycloak to KeyCloak master realm

2) protecting express node.js app's url:

var Keycloak = require('keycloak-connect');
let kcConfig = {
    clientId: 'test_ui',
    // secret : "d31c4718-12e9-407b-9bf2-cb72734a23f0",
    public: true,
    serverUrl: https://127.0.0.1/auth,
    resource: "test_ui",
    realm: 'master'}var session = require('express-session');var
memoryStore = new session.MemoryStore()
var keycloak = new Keycloak(  {store : memoryStore},  kcConfig);
this.app.use(session({
    secret: 'mySecret',
    // resave: false,
    // saveUninitialized: true,
    store: memoryStore
  }));
this.app.use( keycloak.middleware() );this.app.get( '/hello',
keycloak.protect());

3) accessing the protected url in the browser, being redirected to Keycloak
login screen, authenticating... then ther error is popped.

The following sequence of requests is seen in the wireshark:

/auth/realms/master/protocol/openid-connect/auth?client_id=test_ui&state=504b250d-8616-4685-8c8d-5032713c883a&redirect_uri=https://127.0.0.1/hello/auth_callback&scope=openid&response_type=code

after the authentication in login screen:

/auth/realms/master/login-actions/authenticate?session_code=TwhsWxUig85PFHfiv-31OTHQl3aApD6z0lMdOr8hgDc&execution=d58a2cad-2be2-4797-b35a-d7b606945b14&client_id=test_ui&tab_id=ywQfz51qnM0

I thought about adding sslRequired: "none" to kcConfig, but doing seems to
have no effect. Tried to use also confidential client instead of the public
one to no avail.

*package.json* contents:

"express": "4.16.2","keycloak-connect" : "4.3.0","express-session" : "1.15.6"

Keycloak 4.3 is used.

What is the cause of the issue and how to fix this error?

*Update*

Added process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; to *node.js* app
following response
<http://lists.jboss.org/pipermail/keycloak-user/2018-April/013667.html> in
Keycloak mailing list and now getting error: Could not obtain grant code:
401:Unauthorized

I tried to use the the example
<https://github.com/keycloak/keycloak-nodejs-connect/tree/54815e742a931fe6f750a4a024c37ccc4d4fdc43/example>.
It works without using the proxy (getting access token, etc...) But when
the same code is run behind reverse proxy, getting the same error as above.

Manually exchanging the authorization code extracted from the request which
results in error for token using PostMan works as well.

How to cause the example app to work behind reverse proxy.

Regards
Thanks in advance.