search

stenagam / demo-federated-module-login

A sample project demonstrating how a frontend module encapsulated on a bigger project (via module federation) can reuse the main auth session on another api without logging-in again.
Creative Commons Zero v1.0 Universal
0 stars 0 forks source link

Keycloak Discourse Bug Report #9

Open fczuardi opened 3 years ago

fczuardi commented 3 years ago

I am trying to test a scenario of 2 keycloaks where one is identity provider for the other, but I keep getting a 502 error with both them on localhost... is it possible?

Here is my simple testcase:

docker-compose.yml

services:
  keycloak1:
    image: "quay.io/keycloak/keycloak:latest"
    ports:
      - "1234:8080"
    environment:
      KEYCLOAK_USER: admin1
      KEYCLOAK_PASSWORD: admin
  keycloak2:
    image: "quay.io/keycloak/keycloak:latest"
    ports:
      - "4321:8080"
    environment:
      KEYCLOAK_USER: admin2
      KEYCLOAK_PASSWORD: admin

Keycloak 1 (http://localhost:1234 ) new realm: kc1

user registration enabled, SSL disabled: kc2 new client: kc3 access type: confidential kc4 wildcards on Valid Redirect URIs and Web Origins: kc5 client secret copied kc6

finishing with admin1 Sign Out

Keycloak 2 (http://localhost:4321 )

new realm: kc7 user registration On, SSL Off: kc8 new identity provider Keycloak OpenID Connect, auth and token endpoints kc9 Client Authentication, Client ID, Client Secret kc10

Save and SignOut admin2

Keycloak 1 from user perspective Open http://localhost:1234/auth/realms/realm_a/account and SignIn to register a new user kc11 After success login, signout

Keycloak 2 from user perspective Open http://localhost:4321/auth/realms/realm_b/account and attempt to Sign In using the Identity Provider kc12 After click on "keycloak1" button kc13 After sign in kc14

Logs

keycloak2_1  | 12:31:38,803 WARN  [org.keycloak.connections.httpclient.DefaultHttpClientFactory] (default task-13) TruststoreProvider is disabled
keycloak2_1  | 12:31:38,889 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-13) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to localhost:1234 [localhost/127.0.0.1] failed: Connection refused (Connection refused)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:156)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
keycloak2_1  |  at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:277)
keycloak2_1  |  at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:216)
keycloak2_1  |  at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:208)
keycloak2_1  |  at org.keycloak.keycloak-services@15.0.2//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:500)
keycloak2_1  |  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
keycloak2_1  |  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
keycloak2_1  |  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak2_1  |  at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:546)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:435)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:396)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:398)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:365)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
keycloak2_1  |  at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
keycloak2_1  |  at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
keycloak2_1  |  at org.keycloak.keycloak-wildfly-extensions@15.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
keycloak2_1  |  at org.keycloak.keycloak-services@15.0.2//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
keycloak2_1  |  at org.keycloak.keycloak-wildfly-extensions@15.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  |  at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
keycloak2_1  |  at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
keycloak2_1  |  at io.undertow.core@2.2.5.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
keycloak2_1  |  at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
keycloak2_1  |  at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
keycloak2_1  |  at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
keycloak2_1  |  at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
keycloak2_1  |  at org.jboss.xnio@3.8.4.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
keycloak2_1  |  at java.base/java.lang.Thread.run(Thread.java:829)
keycloak2_1  | Caused by: java.net.ConnectException: Connection refused (Connection refused)
keycloak2_1  |  at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
keycloak2_1  |  at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
keycloak2_1  |  at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
keycloak2_1  |  at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
keycloak2_1  |  at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
keycloak2_1  |  at java.base/java.net.Socket.connect(Socket.java:609)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:75)
keycloak2_1  |  at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
keycloak2_1  |  ... 90 more
keycloak2_1  | 
keycloak2_1  | 12:31:38,924 WARN  [org.keycloak.events] (default task-13) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=realm_b, clientId=account-console, userId=null, ipAddress=172.24.0.1, error=identity_provider_login_failure, code_id=ff4c5f88-7047-4462-ac77-4f7912655874, authSessionParentId=ff4c5f88-7047-4462-ac77-4f7912655874, authSessionTabId=QYSgucrsGvc

Browser Network Tab kc15

What am I missing? Is it possible to have the identity provider and the broker on the same machine?

Thanks!

jledoux-sonergia commented 2 years ago

Hello,

I also have the same issue, but I'm using only one instance of Keycloak. I first thought it was an issue with my reverse proxy (Traefik 2.5) but I still get a connection refused after disabling it. Since the call is probably made from the server Keycloak, it can't reach itself on 127.0.0.1 within the docker network. And if I change the domain for a docker network alias, then I get a "wrong redirect uri error". I'll let you know if I find a workaround

Helalihiba commented 1 year ago

Hello, I'm facing a similar issue. I have installed two Keycloak instances using a docker-compose file: one as an Identity Provider (IdP) on port 9090, and the second as a broker on port 8085. However, I'm unable to log in a user created on the Identity Provider to the broker.

Additionally, I have noticed the same errors in the logs:

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-57) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:9090 [/127.0.0.1] failed: Connection refused (Connection refused)

Did you manage to solve the problem since then?