[keycloak-user] Keycloak gatekeeper issue

Bruno Oliveira bruno at abstractj.org
Thu Mar 7 18:51:35 EST 2019


Hi Ronald, one of the possible reasons for getting this message is the
way how you configured the redirect URL on Keycloak server.

Maybe that's the case?

On 2019-02-15, Ronald Demneri wrote:
> Hi all,
> 
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> 
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> 
> The config file is as follows:
> 
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
>   roles:
>   - admin
> 
> In the logs I receive the following upon a successful login:
> 
> {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
> {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
> {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
> {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"}
> {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
> 
> And of course, I am not redirected back to the requested URL.
> 
> I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback
> 
> Any hints?
> 
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj


More information about the keycloak-user mailing list