Open SirBubbls opened 11 months ago
hylkevds
commented
11 months ago That redirect_uri is generated by the Keycloak filter, based on the configuration in auth.keycloakConfig[Url/File].
Looking at the KeyCloak docs I suspect you will need to tune the redirect-rewrite-rules parameter.
SirBubbls
commented
11 months ago Thanks for the quick response. We tried using the redirect-rewrite-rules for rewriting http to https. For some reason this didn't work and we dismissed the idea. I tried it again because of your comment and adding a subpath is indeed possible.
"redirect-rewrite-rules": {
"^(.*)\/FROST-Server(.*)$": "$1/<subpath>/FROST-Server$2"
}The redirect_uri is now correct but we run into an infinite redirect loop as soon as we do the authentication flow from our subpath instead of <domain>/FROST-Server. I did some digging and suspect that the path attribute for the JSESSIONID is not correctly set by the Frost server.
{
"Response Cookies": {
"JSESSIONID": {
"httpOnly": true,
"path": "/FROST-Server", // this should be /<subpath>/FROST-Server doesn't it?
"value": "..."
},
"OAuth_Token_Request_State": {
"httpOnly": true,
"path": "/",
"value": "..."
}
}
}Hmm, it seems Tomcat uses the path that Tomcat sees for the session cookie, but this doesn't match the path the client sees. Tomcat does have the option sessionCookiePath to configure this. We'll have to find a way to make this configurable from the outside...
hylkevds
commented
1 month ago In the development version now allows the sessionCookiePath to be overridden.
hylkevds
commented
1 month ago Also, I discovered the Tomcat filter Remote IP Filter that wraps the requests as if they are coming directly from the client, instead of from the proxy. That solves the http/https problem in the redirect.
You can enable it in the development branch using http.remoteIpFilter.enable.
We serve the a frost server instance in Kubernetes under a subpath
https://<domain>/path/theserviceRootUrlappears to be correct.The Frost instance is also reachable under this path. Unfortunately integrating Keycloak introduces issues with the
redirect_uri. The auth request to Keycloak ishttp://<daomin>/FROST-Server(https://<domain>/auth/realms/<redacted>/protocol/openid-connect/auth?response_type=code&client_id=<redacted>&redirect_uri=http://<domain>/FROST-Server/<redacted>&login=true&scope=openid). Because we don't serve Frost under this path, the authentication fails. As soon as we serve Frost underhttp://<domain>/the login succeeds. Is there a configuration option for a subpath in theredirect_urithat i am missing or is this a bug?