[keycloak-user] Keycloak gatekeeper issue

Sebastien Blanc sblanc at redhat.com
Thu Mar 7 01:47:52 EST 2019


Hi,

How do you generate your initial token ?
>From the logs looks like it's already expired when you send it to the
Gatekeeper.

On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri
<ronald.demneri at amdtia.com> wrote:
>
> Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
>
>
> Regards,
> Ronald
>
> -----Original Message-----
> From: Ronald Demneri <ronald.demneri at amdtia.com>
> Sent: 15.Feb.2019 1:59 PM
> To: Ronald Demneri <ronald.demneri at amdtia.com>; keycloak-user at lists.jboss.org
> Subject: RE: Keycloak gatekeeper issue
>
> I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
> Sent: 15.Feb.2019 1:41 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Keycloak gatekeeper issue
>
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
>   roles:
>   - admin
>
> In the logs I receive the following upon a successful login:
>
> {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"} {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
> {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
> {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"} {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list