Open SirBubbls opened 11 months ago
That redirect_uri is generated by the Keycloak filter, based on the configuration in auth.keycloakConfig[Url/File]
.
Looking at the KeyCloak docs I suspect you will need to tune the redirect-rewrite-rules
parameter.
Thanks for the quick response. We tried using the redirect-rewrite-rules
for rewriting http to https. For some reason this didn't work and we dismissed the idea. I tried it again because of your comment and adding a subpath is indeed possible.
"redirect-rewrite-rules": {
"^(.*)\/FROST-Server(.*)$": "$1/<subpath>/FROST-Server$2"
}
The redirect_uri
is now correct but we run into an infinite redirect loop as soon as we do the authentication flow from our subpath instead of <domain>/FROST-Server
. I did some digging and suspect that the path
attribute for the JSESSIONID
is not correctly set by the Frost server.
{
"Response Cookies": {
"JSESSIONID": {
"httpOnly": true,
"path": "/FROST-Server", // this should be /<subpath>/FROST-Server doesn't it?
"value": "..."
},
"OAuth_Token_Request_State": {
"httpOnly": true,
"path": "/",
"value": "..."
}
}
}
Hmm, it seems Tomcat uses the path that Tomcat sees for the session cookie, but this doesn't match the path the client sees. Tomcat does have the option sessionCookiePath to configure this. We'll have to find a way to make this configurable from the outside...
In the development version now allows the sessionCookiePath to be overridden.
Also, I discovered the Tomcat filter Remote IP Filter that wraps the requests as if they are coming directly from the client, instead of from the proxy. That solves the http/https problem in the redirect.
You can enable it in the development branch using http.remoteIpFilter.enable
.
We serve the a frost server instance in Kubernetes under a subpath
https://<domain>/path/
theserviceRootUrl
appears to be correct.The Frost instance is also reachable under this path. Unfortunately integrating Keycloak introduces issues with the
redirect_uri
. The auth request to Keycloak ishttp://<daomin>/FROST-Server
(https://<domain>/auth/realms/<redacted>/protocol/openid-connect/auth?response_type=code&client_id=<redacted>&redirect_uri=http://<domain>/FROST-Server/<redacted>&login=true&scope=openid
). Because we don't serve Frost under this path, the authentication fails. As soon as we serve Frost underhttp://<domain>/
the login succeeds. Is there a configuration option for a subpath in theredirect_uri
that i am missing or is this a bug?