Keycloak and Nginx: auth_request

Question

I am trying to setup auth_request with keycloak proxy, but it does not work (Nginx returns 500 status code).

Here is my example:

nginx.conf

upstream target_host {
    server prometheus:9090;
}

upstream oauth_host {
    server keycloak-proxy:8181;
}

server {

  listen 80;
  server_name myexample.com;


  location = /oauth2/ {
    proxy_pass       http://oauth_host/oauth2/;
    proxy_redirect              default;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_set_header   X-Original-URI $request_uri;
    proxy_set_header   Content-Length   "";
    proxy_pass_request_body           off;
  }

  location / {
      auth_request /oauth2/; 
      proxy_pass http://target_host/;
  }
}

proxy.json

{
    "target-url": "http://myexample.com/",
    "target-request-timeout": "60000",
    "send-access-token": true,
    "bind-address": "0.0.0.0",
    "http-port": "8181",
    "applications": [
        {
            "base-path": "/oauth2/",
            "proxy-address-forwarding": true,
            "adapter-config": {
                "realm": "test",
                "disable-trust-manager": true,
                "resource": "account",
                "auth-server-url": "https://keycloak:8443/auth",
                "ssl-required" : "external",
                "credentials": {
                    "secret": "75ddbbd9-e98c-437e-9815-a8b66e9e58ec"
                }
            }
            ,
            "constraints": [
                {
                    "pattern": "/*",
                    "roles-allowed": [
                        "custom_role"
                    ]
                }
            ]
        }
    ]
}

Nginx log:

172.19.0.1 - - [03/Sep/2018:14:50:14 +0200] "GET / HTTP/1.1" 500 193 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" "-"
172.19.0.1 - - [03/Sep/2018:14:50:14 +0200] "GET / HTTP/1.1" 500 193 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" "-"
2018/09/03 14:50:14 [error] 8#8: *21 auth request unexpected status: 302 while sending to client, client: 172.19.0.1, server: myexample.com, request: "GET / HTTP/1.1", host: "myexample.com"
2018/09/03 14:50:14 [error] 8#8: *23 auth request unexpected status: 302 while sending to client, client: 172.19.0.1, server: myexample.com, request: "GET / HTTP/1.1", host: "myexample.com"

http://keycloak-proxy:8181 -> Keycloak Proxy
https://keycloak:443 -> Keycloak
http://prometheus:9090 -> Prometheus
http://myexample.com -> Nginx

I am wondering how to properly setup auth_request. Can anyone help ?

Thanks

Are you hiding keycloak with the nginx proxy? If yes, you miss KC configuration there. — Aritz, Sep 04 '18 at 10:53
No, in fact there is working redirect to keycloak on /oauth2 location, but I am wondering if it is even right... I guess that I should also do a proxy pass to keycloak itself. There might be a problem with redirect uri generated by keycloak-proxy and keycloak — MUHAHA, Sep 04 '18 at 11:16

score 2 · Answer 1 · answered Sep 03 '18 at 22:07

Your request to the oAuth2 service is being redirected with 302 HTTP code, maybe if you follow the redirect it will give you the response you are hoping for.

location = /oauth2/ {
    # Other stuff..
    # You may need to comment out this:
    # proxy_redirect default;
    # Then, add this:
    proxy_intercept_errors on;
    error_page 302 = @handle_redirect;
}
location @handle_redirect {
    set $saved_redirect_location '$upstream_http_location';
    proxy_pass $saved_redirect_location;
}

Keycloak and Nginx: auth_request

1 Answers1