[keycloak-user] SSL load balancer causes problem on HTTP backend
Salih Gedik
sg at salih.xyz
Wed Apr 10 10:32:40 EDT 2019
Hello community,
We have an application that uses Keycloak starters and service itself is running on Spring Boot 2. However when requested through load balancers it fails to authenticate. Backend servers themselves are not HTTPS and SSL load balancers are passing the traffic to backends insecure. I tried enabling ssl-required flag but this time it failed to redirect to correct page for login since backends are not SSL. I tried to override commenceLoginRedirect method on KeycloakAuthenticationEntryPoint which resolved the issue. But this time after successful login, redirection page fails to authenticate and returns 403.
I can see from the log that it says "Adapter requires SSL. Request: http://xx.yyy.zzzz.local" Which request endpoint should be https://xx instead of http? Here is the log message:
[http-nio-8080-exec-7] DEBUG o.k.a.OAuthRequestAuthenticator - there was a code, resolving
[http-nio-8080-exec-7] ERROR o.k.a.OAuthRequestAuthenticator - Adapter requires SSL. Request: http://xx.yyy.zzzz.local/sso/login?state=abcdef&code=uss.BRA-eewrerrew.8ddaea7f-erewererw-65e2d6aa381ad
[http-nio-8080-exec-7] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Auth outcome: FAILED
[http-nio-8080-exec-7] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:157)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
I would really appreciate if you guys have any idea/suggestion about this?
Thank you
--
More information about the keycloak-user
mailing list