search

mesosphere / traefik-forward-auth

218 stars 47 forks source link

Redirection to Keycloak Not Working #53

Closed pbitante closed 2 years ago

pbitante commented 2 years ago

Expected Behavior

I am using traefik-forward-auth in front of an R application using Shiny and authenticating with Keycloak OIDC. I would expect by navigating to the app url that I am redirected to Keycloak page, login with Keycloak, then redirect back to the app I am trying to reach.

Current Behavior

When I navigate to the app's url, I am met with a "Bad Gateway" message and a 502 error after two redirects in the Chrome network dev tools. If I refresh, I am shown a "Not Authenticated" message. The forwardauth logs say:

forwardauth_1  | time="2022-01-04T17:58:15Z" level=warning msg="failed to exchange token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"Code not valid\"}"

I am not sure what is configured wrong and preventing keycloak from being accessed.

Possible Solution

Steps to Reproduce (for bugs) A client and secret will need to be generated for the rocker image. In the docker compose images below, I have called the client "rocker"

navigate to app.example.com

Context The following can be placed in a docker compose file and brought up that way.

traefik-forward-auth Image

forwardauth:
  image: mesosphere/traefik-forward-auth:3.0.3
  restart: unless-stopped
  networks:
    - services
  environment:
    - SECRET=xxx
    - PROVIDER_URI=https://keycloak.example.com/auth/realms/master
    - CLIENT_ID=rocker
    - CLIENT_SECRET=xxx
    - LOG_LEVEL=trace
  labels:
    - traefik.enable=true
    - traefik.port=4181
    - traefik.docker.network=services-development
    - traefik.http.routers.forwardauth_insecure.rule=Path(`/_oauth`)
    - traefik.http.routers.forwardauth_insecure.entrypoints=http
    - traefik.http.routers.forwardauth_insecure.middlewares=https-redirect,compression
    - traefik.http.routers.forwardauth.rule=Path(`/_oauth`)
    - traefik.http.routers.forwardauth.entrypoints=https
    - traefik.http.services.forwardauth.loadbalancer.server.port=4181
    - traefik.http.routers.forwardauth.middlewares=compression,traefik-forward-auth
    - traefik.http.routers.forwardauth.tls=true

Shiny Server Image

rocker:
  image: rocker/shiny:latest
  networks:
    - services
  ports:
    - 3838:3838
  labels:
    - traefik.enable=true
    - traefik.port=3838
    - traefik.http.routers.analysis_insecure.rule=Host(`app.example.com`)
    - traefik.http.routers.analysis_insecure.middlewares=https-redirect
    - traefik.http.routers.analysis_insecure.entrypoints=http
    - traefik.http.routers.analysis.rule=Host(`app.example.com`)
    - traefik.http.routers.analysis.middlewares=compression,traefik-forward-auth
    - traefik.http.routers.analysis.entrypoints=https
    - traefik.http.routers.analysis.tls=true
    - traefik.http.services.analysis.loadbalancer.server.port=3838
    - traefik.docker.network=services-development

Keycloak Image

keycloak:
  image: jboss/keycloak:11.0.3
  ports:
    - 5005:5005
  environment:
    - KEYCLOAK_USER=user
    - KEYCLOAK_PASSWORD=password

Your Environment Docker version: 4.0.1 traefik-forward-auth Version used: 3.0.3 Traefik version used: 2.1

pbitante commented 2 years ago

I was able to get this working with the base keycloak theme. I was missing the "groups" client role for the client in my Keycloak instance.