'User-agent' header missing for OIDC config in org.keycloak » keycloak-spring-boot-starter

570 views

Skip to first unread message

Pišta Pišta

unread,

Jan 26, 2022, 10:07:20 AM1/26/22

to Keycloak User

Hello colleagues,

I am experiencing strange behavior with keycloak-spring-boot-starter. When my app tries to get OIDC config from keycloak ( '/auth/realms/{realm}/.well-known/openid-configuration' ), there is no 'User-Agent' header present in the request. This header is required for all requests coming through our AWS loadbalancer. If there is no 'User-Agent' header, the request is not forwarded to keycloak. Therefore my application is not able to get OIDC config from keycloak and redirect me to login.

All other requests from my spring boot app to keycloak contain 'User-Agent' header, only the one mentioned above doesn't.

Please see the debug logs below. The 1st one doesn't contain 'User-agent' header, 2nd one does:

request to OIDC config:

---------------------------------------------------------------------------------------------------

2022-01-26 15:58:07.233 DEBUG 20172 --- [io-30001-exec-1] o.a.h.i.c.t.ThreadSafeClientConnManager : Get connection: {s}->\\\my-host\\\, timeout = 0
2022-01-26 15:58:07.234 DEBUG 20172 --- [io-30001-exec-1] o.a.h.impl.conn.tsccm.ConnPoolByRoute : [{s}-> \\\my-host\\\ ] total kept alive: 0, total issued: 0, total allocated: 0 out of 20
2022-01-26 15:58:07.234 DEBUG 20172 --- [io-30001-exec-1] o.a.h.impl.conn.tsccm.ConnPoolByRoute : No free connections [{s}-> \\\my-host\\\ ][null]
2022-01-26 15:58:07.234 DEBUG 20172 --- [io-30001-exec-1] o.a.h.impl.conn.tsccm.ConnPoolByRoute : Available capacity: 20 out of 20 [{s}-> \\\my-host\\\ ][null]
2022-01-26 15:58:07.234 DEBUG 20172 --- [io-30001-exec-1] o.a.h.impl.conn.tsccm.ConnPoolByRoute : Creating new connection [{s}-> \\\my-host\\\ ]
2022-01-26 15:58:07.342 DEBUG 20172 --- [io-30001-exec-1] .a.h.i.c.DefaultClientConnectionOperator : Connecting to \\\my-host\\\
2022-01-26 15:58:07.747 DEBUG 20172 --- [io-30001-exec-1] o.a.h.client.protocol.RequestAddCookies : CookieSpec selected: compatibility
2022-01-26 15:58:07.748 DEBUG 20172 --- [io-30001-exec-1] o.a.h.client.protocol.RequestAuthCache : Auth cache not set in the context
2022-01-26 15:58:07.748 DEBUG 20172 --- [io-30001-exec-1] o.a.h.c.p.RequestTargetAuthentication : Target auth state: UNCHALLENGED
2022-01-26 15:58:07.748 DEBUG 20172 --- [io-30001-exec-1] o.a.h.c.p.RequestProxyAuthentication : Proxy auth state: UNCHALLENGED
2022-01-26 15:58:07.748 DEBUG 20172 --- [io-30001-exec-1] o.a.http.impl.client.DefaultHttpClient : Attempt 1 to execute request
2022-01-26 15:58:07.748 DEBUG 20172 --- [io-30001-exec-1] o.a.h.impl.conn.DefaultClientConnection : Sending request: GET /auth/realms/{my-realm}/.well-known/openid-configuration HTTP/1.1
2022-01-26 15:58:07.748 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.wire : >> "GET /auth/realms/ {my-realm} /.well-known/openid-configuration HTTP/1.1[\r][\n]"
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.wire : >> "accept: application/json[\r][\n]"
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.wire : >> "Host: \\my-host\\[\r][\n]"
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.wire : >> "Connection: Keep-Alive[\r][\n]"
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.wire : >> "[\r][\n]"
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.headers : >> GET /auth/realms/ {my-realm} /.well-known/openid-configuration HTTP/1.1
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.headers : >> accept: application/json
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.headers : >> Host: \\my-realm\\
2022-01-26 15:58:07.749 DEBUG 20172 --- [io-30001-exec-1] org.apache.http.headers : >> Connection: Keep-Alive

---------------------------------------------------------------------------------------------------

Request to get roles from keycloak:

---------------------------------------------------------------------------------------------------

2022-01-26 16:01:52.785 DEBUG 20172 --- [io-30001-exec-3] h.i.c.PoolingHttpClientConnectionManager : Connection request: [route: {s}->\\my-host\\][total available: 0; route allocated: 0 of 10; total allocated: 0 of 10]
2022-01-26 16:01:52.789 DEBUG 20172 --- [io-30001-exec-3] h.i.c.PoolingHttpClientConnectionManager : Connection leased: [id: 0][route: {s}->--my-host\\][total available: 0; route allocated: 1 of 10; total allocated: 1 of 10]
2022-01-26 16:01:52.790 DEBUG 20172 --- [io-30001-exec-3] o.a.http.impl.execchain.MainClientExec : Opening connection {s}->\\my-host\\
2022-01-26 16:01:52.886 DEBUG 20172 --- [io-30001-exec-3] .i.c.DefaultHttpClientConnectionOperator : Connecting to \\my-host\\
2022-01-26 16:01:52.886 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : Connecting socket to \\my-host\\ with timeout 0
2022-01-26 16:01:52.942 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : Enabled protocols: [TLSv1.3, TLSv1.2]
2022-01-26 16:01:52.942 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2022-01-26 16:01:52.942 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : Starting handshake
2022-01-26 16:01:53.079 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : Secure session established
2022-01-26 16:01:53.079 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : negotiated protocol: TLSv1.2
2022-01-26 16:01:53.079 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2022-01-26 16:01:53.079 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : peer principal: CN=\\my-host\\
2022-01-26 16:01:53.079 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : peer alternative names: [\\my-host]
2022-01-26 16:01:53.080 DEBUG 20172 --- [io-30001-exec-3] o.a.h.c.ssl.SSLConnectionSocketFactory : issuer principal: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
2022-01-26 16:01:53.081 DEBUG 20172 --- [io-30001-exec-3] .i.c.DefaultHttpClientConnectionOperator : Connection established 10.240.37.130:58090<->10.91.48.150:443
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] o.a.http.impl.execchain.MainClientExec : Executing request POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] o.a.http.impl.execchain.MainClientExec : Target auth state: UNCHALLENGED
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] o.a.http.impl.execchain.MainClientExec : Proxy auth state: UNCHALLENGED
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] org.apache.http.headers : http-outgoing-0 >> POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] org.apache.http.headers : http-outgoing-0 >> Accept: application/json
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] org.apache.http.headers : http-outgoing-0 >> Content-Type: application/x-www-form-urlencoded
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] org.apache.http.headers : http-outgoing-0 >> Content-Length: 79
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] org.apache.http.headers : http-outgoing-0 >> Host: \\my-host\\
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] org.apache.http.headers : http-outgoing-0 >> Connection: Keep-Alive
2022-01-26 16:01:53.082 DEBUG 20172 --- [io-30001-exec-3] org.apache.http.headers : http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.13)

---------------------------------------------------------------------------------------------------

I would expect uniform behavior for all requests towards keycloak. Is this behavior expected from your side? Can you enrich also the OIDC request with 'User-Agent' header? Or propose some workaround on my side to add it to this request?

Thanks for your support.

Kind regards,

pista

Reply all

Reply to author

Forward

0 new messages