[keycloak-user] Keycloak gatekeeper issue

Ronald Demneri ronald.demneri at amdtia.com
Fri Feb 15 07:58:40 EST 2019


I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak.


Thanks in advance,
Ronald

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
Sent: 15.Feb.2019 1:41 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak gatekeeper issue

Hi all,

I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:

./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"

The config file is as follows:

discovery-url: https://keycloak/auth/realms/master
client-id: gatekeeper
client-secret: 94779832-40d7-4342-90d6-12ab52eab831
listen: 10.253.6.41:80
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
enable-login-handler: true
enable-token-header: true
enable-metrics: true
enable-default-deny: false
redirection-url: http://gatekeeper:80
//redirection-url: http://10.253.6.41:3000
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
secure-cookie: false
upstream-url: http://127.0.0.1:80
resources:
- uri: /user/test.php
- uri: /admin/*.php
  roles:
  - admin

In the logs I receive the following upon a successful login:

{"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"} {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
{"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
{"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"} {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}

And of course, I am not redirected back to the requested URL.

I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback

Any hints?

Thanks in advance,
Ronald
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list