Keycloak login issue - incorrect /_token call to non-existent backend server

Jernej Vodopivec jernej.vodopivec at gmail.com
Sun Oct 17 07:21:03 UTC 2021 

 Hi,

after successful login on Keycloak webpage the user is not redirected to
real backend service.
The event log shows request to non-existent backend server (127.0.0.1)
using malformed scheme (HTTPS with port 80).
https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token"
<https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token>

I've published two sites via Nginx:

1. Application: https://app.domain.com
Application is running on backend IIS server https://appbackend.domain.com

NGINX Virtual host config:
a) Headers set:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

b) Keycloak part
include conf.d/openid_connect.server_conf;
set $oidc_authz_endpoint "
https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/auth
";
set $oidc_token_endpoint "
https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/token
";
set $oidc_client         "NGINX-Plus";
set $oidc_client_secret  "acdce7.......7460";
set $oidc_jwt_keyfile    "
https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/certs
";
set $oidc_hmac_key       "38...asfumg3";

c) location part
auth_jwt "" token=$session_jwt;
error_page 401 = @do_oidc_flow;
auth_jwt_key_request /_jwks_uri;
proxy_set_header username $jwt_claim_sub;
proxy_pass      https://appbackend.domain.com;


2. Keycloak: https://keycloak.domain.com
Keycloak is running as a docker on separated virtual machine
keycloak1.domain.com.
Port redirection:
- tcp/80 -> tcp/8080
- tcp/443 -> tcp/8443
SSL certificate is installed and activated.

1. Headers set:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

2. Backend
proxy_pass      https://keycloak1.domain.com; <https://keycloak1.domain.com>
## Same issue if HTTP is user instead of HTTPS

3. Client configuration - admin part
Valid Redirect URIs: https://app.domain.com:443/_codexch

NGINX logs
 /var/log/nginx/app.domain.com-access.log <==
remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17
+0200] request="GET / HTTP/2.0" status=302 body_bytes_sent=145
http_referer="-" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:93.0) Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-"
request_time=0.002 upstream_connect_time="-" upstream_header_time="-"
upstream_response_time="-" server_name=app.domain.com uri="/"


==> /var/log/nginx/keycloak.domain.com-access.log <==
remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17
+0200] request="GET
/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email+offline_access&client_id=NGINX-Plus&redirect_uri=https://app.domain.com:443/_codexch&nonce=5--Pw-iCkTs1hR-3V6wgLkd2vZNC0ys0NM9fRR4D1c8&state=0
HTTP/2.0" status=302 body_bytes_sent=0 http_referer="-"
http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0)
Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-" request_time=0.032
upstream_connect_time="0.020" upstream_header_time="0.032"
upstream_response_time="0.032" server_name=keycloak.domain.com
uri="/auth/realms/master/protocol/openid-connect/auth"
1c8&state=0 HTTP/2.0", status=302, waf_policy=Complete_OWASP_Top_Ten,
waf_request_id=13388773729652827719, waf_action=PASSED,
waf_action_reason=SECURITY_WAF_OK

==> /var/log/nginx/app.domain.com-error.log <==
2021/10/17 09:06:18 [error] 3352262#3352262: *406 connect() failed (111:
Connection refused) while connecting to upstream, client: 184.55.14.22,
server: app.domain.com, request: "GET
/_codexch?state=0&session_state=0b783755-9b00-4b0f-9e63-1a047680272c&code=07ce9447-19a7-443f-abfb-54e92819a34a.0b783755-9b00-4b0f-9e63-1a047680272c.98d80b2d-9f0d-482a-bdfd-b680834bb9bc
HTTP/2.0", subrequest: "/_token", upstream: "
https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token",
host: "app.domain.com"

Any help would be really appreciated.

Regards,

Jernej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20211017/7df318bd/attachment-0001.htm>

More information about the nginx mailing list