Invalid_code when authenticating through reverse proxy

Pedrozena · August 11, 2020, 4:07pm

I’m trying to setup a docker instance of keycloak behind a reverse proxy that simply forward each request to him.
I already set up the proxy to add
X-Forwarded-For
X-Forwarded-Proto
headers with the IP of the client and “http” values.
I also set up the env variable of the docker instance PROXY_ADDRESS_FORWARDING: “true”.
I’m trying now to authenticate trough the javascript client, but I got this error (I enabled debug log level for keycloak)

keycloak                      | 15:50:01,116 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-1) Will use client 'Webgui' in back-to-application link
keycloak                      | 15:50:01,116 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
keycloak                      | 15:50:01,116 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
keycloak                      | 15:50:01,116 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
keycloak                      | 15:50:01,117 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie
keycloak                      | 15:50:01,117 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
keycloak                      | 15:50:01,118 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
keycloak                      | 15:50:01,118 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
keycloak                      | 15:50:01,127 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie
keycloak                      | 15:50:01,127 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
keycloak                      | 15:50:01,127 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) Couldnt find any cookies with name AUTH_SESSION_ID, trying AUTH_SESSION_ID_LEGACY
keycloak                      | 15:50:01,127 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1) {1} cookie found in the requests header
keycloak                      | 15:50:01,128 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie
keycloak                      | 15:50:01,128 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-1) Authentication session not found. Trying to restart from cookie.
keycloak                      | 15:50:01,128 DEBUG [org.keycloak.protocol.RestartLoginCookie] (default task-1) KC_RESTART cookie doesn't exist
keycloak                      | 15:50:01,129 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=test, clientId=null, userId=null, ipAddress=172.18.0.1, error=invalid_code

I checked the URL encoding and can confirm that the uri string sent by the proxy is the same as when it leaves the client.
Any help will be appreciated

Pedrozena · August 12, 2020, 9:31pm

Please find compared the tcpdump of the request before and after the reverse proxy:

BEFORE

POST /auth/realms/test/login-actions/authenticate?session_code=cXM4QygbthFizJ1jqGaTOctRZKR7WhU-o6tw1dYwrMM&execution=ddf78420-3ed6-477f-9bba-14e1c0afc78e&client_id=Webgui&tab_id=n20mqnfLMD0 HTTP/1.1
Host: localhost:8199
Connection: keep-alive
Content-Length: 43
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8199
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8199/auth/realms/test/protocol/openid-connect/auth?client_id=Webgui&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&state=64a47edf-1f21-4881-bf91-eb803ff799a1&response_mode=fragment&response_type=code&scope=openid&nonce=6e378e5c-796b-482e-91d0-924fffade91b
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _xsrf=2|5c6a380b|2939d9bf43d7bf802f3a86f4c0884f29|1597236136

username=admin&password=admin&credentialId=

AFTER

POST /auth/realms/test/login-actions/authenticate?session_code=cXM4QygbthFizJ1jqGaTOctRZKR7WhU-o6tw1dYwrMM&execution=ddf78420-3ed6-477f-9bba-14e1c0afc78e&client_id=Webgui&tab_id=n20mqnfLMD0 HTTP/1.1
Host: localhost:8199
Connection: keep-alive
Content-Length: 43
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8199
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8199/auth/realms/test/protocol/openid-connect/auth?client_id=Webgui&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&state=64a47edf-1f21-4881-bf91-eb803ff799a1&response_mode=fragment&response_type=code&scope=openid&nonce=6e378e5c-796b-482e-91d0-924fffade91b
Accept-Encoding: gzip
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _xsrf=2|5c6a380b|2939d9bf43d7bf802f3a86f4c0884f29|1597236136
X-Forwarded-For: 172.18.0.1
X-Forwarded-Proto: http

username=admin&password=admin&credentialId=

Pedrozena · August 13, 2020, 8:04am

I’ve also been able to allign Accept-Encoding header by tuning the proxy. Now the two requests are aligned.
Still I get the same error from keycloak.
Please find also the definition of keyclock in my docker-compose file:
keycloak:
image: jboss/keycloak:11.0.0
container_name: keycloak
hostname: keycloak
ports:
- “8080:8080”
environment:
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
DB_VENDOR: postgres
DB_ADDR: postgres11-keycloak
DB_PORT: 5432
DB_DATABASE: keycloak
DB_USER: postgres
DB_PASSWORD: postgres
PROXY_ADDRESS_FORWARDING: “true”
depends_on:
- postgres11-keycloak
networks:
- keycloak-network
- backend

Pedrozena · August 13, 2020, 1:43pm

I finally ended up solving my issues. Thanks to jinnerbichler I discovered that more than the two headers indicated in the documentation (X-Forwarded-For, X-Forwarded-Proto) need to be set by the proxy.
The working solution includes:

X-Forwarded-For
X-Forwarded-Proto
X-Forwarded-Host
X-Forwarded-Server
X-Forwarded-Port
X-Real-IP

Please update the documentation accordingly, should you agree on this solution.
Cheers

Topic		Replies	Views
Using a test server Keycloak instance from 127.0.0.1 Getting advice	0	517	February 16, 2022
Running Keycloak behind docker container (with Nginx as reverse proxy)	5	2180	May 7, 2024
Keycloak white admin console and 401 responses Configuring the server	4	4630	March 24, 2022
Bad redirect with keycloak behind reverse-proxy Securing applications	0	318	April 19, 2024
Keycloak in docker behind reverse proxy Configuring the server admin-console	53	83519	May 1, 2024

Invalid_code when authenticating through reverse proxy

Related Topics