Elytron OIDC behind reverse proxy
653 views
Skip to first unread message
milad bourhani
Jun 27, 2023, 2:19:48 PM6/27/23
to WildFly
Hi,
I have an app on Wildfly 28.0.1.Final, that I want to protect using Elytron OIDC, and my requirement is to have both the app and the OIDC server (Keycloak 22.1.1) to sit behind a TLS-enabled reverse proxy (Apache HTTPD). Note that the behaviour is the same on WildFly 27.0.1.Final.
Here's my (final) standalone.xml configuration:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0">
<secure-deployment name="myapp.war">
<provider-url>https://localhost/auth/realms/my-app-realm</provider-url>
<ssl-required>ALL</ssl-required>
<confidential-port>443</confidential-port>
<principal-attribute>preferred_username</principal-attribute>
<client-id>my-app-oidc-client</client-id>
<credential name="secret" secret="0B45EHhYFP1pyTlbhYcUyNJdpopkXrrd"/>
</secure-deployment>
</subsystem>
Here's how I spin up Keycloak:
$ docker run --name keycloak-rev-proxy -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
-p 8180:8080 quay.io/keycloak/keycloak:21.1.1 start \
--proxy edge --http-relative-path=/auth --hostname-strict=false --hostname-url=https://localhost/auth
Here's my Apache configuration:
```
<Location /auth>
ProxyPass http://host.docker.internal:8180/auth
ProxyPassReverse http://host.docker.internal:8180/auth
</Location>
<Location /myapp>
ProxyPass http://host.docker.internal:8080/myapp
ProxyPassReverse http://host.docker.internal:8080/myapp
ProxyPreserveHost On
</Location>
```
To explain the configuration above, the following two pieces of configuration have been added to overcome other issues that had occurred without them:
However, when I access the app at https://localhost/my-app, I get this error on the
WildFly log, although I'm accessing, and I'm redirected to, an HTTPS URL (note that log prints an `http` request instead):
12:14:34,777 ERROR [org.wildfly.security.http.oidc] (default task-1) SSL required. Request: http://localhost/myapp?state=bb41ee4f-7511-43ef-bd56-58a05539778d&session_state=05dc372c-74ac-4077-a7e4-40dad8760d0d&code=5ebec7b0-800c-48c0-9ef4-6d84f451c464.05dc372c-74ac-4077-a7e4-40dad8760d0d.53446e07-7475-429e-aec3-eea2b8387ef6
Note that no request with the `http` protocol ever leaves my browser, they're all `https`.
I'm also attaching a self-contained application that walks through every detail contained here and reproduces the error.
In general, I'd also be interested in knowing if there's a better / simpler way to achieve what I'm after, which is having both WildFly and Keycloak behind
a reverse proxy, and have them talk to each other.
Thank you in advance,
Milad
I have an app on Wildfly 28.0.1.Final, that I want to protect using Elytron OIDC, and my requirement is to have both the app and the OIDC server (Keycloak 22.1.1) to sit behind a TLS-enabled reverse proxy (Apache HTTPD). Note that the behaviour is the same on WildFly 27.0.1.Final.
Here's my (final) standalone.xml configuration:
<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0">
<secure-deployment name="myapp.war">
<provider-url>https://localhost/auth/realms/my-app-realm</provider-url>
<ssl-required>ALL</ssl-required>
<confidential-port>443</confidential-port>
<principal-attribute>preferred_username</principal-attribute>
<client-id>my-app-oidc-client</client-id>
<credential name="secret" secret="0B45EHhYFP1pyTlbhYcUyNJdpopkXrrd"/>
</secure-deployment>
</subsystem>
Here's how I spin up Keycloak:
$ docker run --name keycloak-rev-proxy -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
-p 8180:8080 quay.io/keycloak/keycloak:21.1.1 start \
--proxy edge --http-relative-path=/auth --hostname-strict=false --hostname-url=https://localhost/auth
Here's my Apache configuration:
```
<Location /auth>
ProxyPass http://host.docker.internal:8180/auth
ProxyPassReverse http://host.docker.internal:8180/auth
</Location>
<Location /myapp>
ProxyPass http://host.docker.internal:8080/myapp
ProxyPassReverse http://host.docker.internal:8080/myapp
ProxyPreserveHost On
</Location>
```
To explain the configuration above, the following two pieces of configuration have been added to overcome other issues that had occurred without them:
- `ProxyPreserveHost On` in the Apache configuration - this I've added first; without it, I was getting a `redirect_uri` of `https://host.docker.internal:0/myapp`
- `confidential-port="443"` in the `standalone.xml` OIDC configuration - I've added this last, to remove the zero port in the `redirect_uri`
However, when I access the app at https://localhost/my-app, I get this error on the
WildFly log, although I'm accessing, and I'm redirected to, an HTTPS URL (note that log prints an `http` request instead):
12:14:34,777 ERROR [org.wildfly.security.http.oidc] (default task-1) SSL required. Request: http://localhost/myapp?state=bb41ee4f-7511-43ef-bd56-58a05539778d&session_state=05dc372c-74ac-4077-a7e4-40dad8760d0d&code=5ebec7b0-800c-48c0-9ef4-6d84f451c464.05dc372c-74ac-4077-a7e4-40dad8760d0d.53446e07-7475-429e-aec3-eea2b8387ef6
Note that no request with the `http` protocol ever leaves my browser, they're all `https`.
I'm also attaching a self-contained application that walks through every detail contained here and reproduces the error.
In general, I'd also be interested in knowing if there's a better / simpler way to achieve what I'm after, which is having both WildFly and Keycloak behind
a reverse proxy, and have them talk to each other.
Thank you in advance,
Milad
milad bourhani
Jun 28, 2023, 7:16:24 AM6/28/23
to WildFly
Just for the record, I was able to fix the issue by adding this to the Apache config:
RequestHeader set X-Forwarded-Proto "https"
and adding this to the standalone.xml file:
<http-listener name="default" ... proxy-address-forwarding="true" />
These are no longer necessary:
- ProxyPreserveHost On
- confidential-port="443"
Cheers,
Milad
Milad
Reply all
Reply to author
Forward
0 new messages