Hello
I’m trying to set up Keycloak using nginx as proxy.
The idea is to log in to web app using javascript adapter and then for each API request, nginx should ask Keycloak if token is valid (session could be revoked, etc.).
I’ve set it up without nginx locally - I have keycloak on my VM and I used Keycloak Gatekeeper to proxy API requests. It worked with no issues whatsoever.
Then, I deployed Keycloak and web app that uses js adapter on cluster and in nginx
I proxied URLs required for login. Next, I configured auth module to call /auth/realms/cerulean-magnolia/protocol/openid-connect/token
with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
. There could be better endpoint to call but I’m always getting invalid_grant
Invalid bearer token
anyway.
Login works but when I try to use generated token, it becomes invalid and I can’t use it anymore.
I’ve set PROXY_ADDRESS_FORWARDING
to true and here’s what I did in nginx:
location /api/v1/login {
rewrite /api/v1/login/(.*) /auth/$1 break;
proxy_pass {{ .Values.nginx.keycloakUrl }};
}
location /auth/resources {
proxy_pass {{ .Values.nginx.keycloakUrl }};
}
location /auth/realms {
proxy_set_header X-Forwarded-For $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass {{ .Values.nginx.keycloakUrl }};
}
And then for API requests auth module: auth_request /_auth;
and:
location = /_auth {
internal;
proxy_method POST;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-Scheme $scheme;
proxy_set_header X-Original-Request $request;
proxy_set_header X-Original-Request-URI $request_uri;
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_body "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=lei-api&respnose_mode=decision";
rewrite /_auth /auth/realms/cerulean-magnolia/protocol/openid-connect/token break;
proxy_pass {{ .Values.nginx.keycloakUrl }};
}
Like I’m mentioned - any attempt of using this token ends up in getting:
{
"error": "invalid_grant",
"error_description": "Invalid bearer token"
}
If I would generate this token manually (via forwarded port) using password:
curl -L -X POST 'https://localhost:8141/auth/realms/cerulean-magnolia/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=lei' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid' \
--data-urlencode 'username=...' \
--data-urlencode 'password=...' --insecure | jq
and then use this token to do:
http --verify=no -f https://localhost:8141/auth/realms/cerulean-magnolia/protocol/openid-connect/token grant_type=urn:ietf:params:oauth:grant-type:uma-ticket audience=lei-api response_mode=decision authorization:"Bearer ..."
It works fine. But if I use token generated via web app, I always get 401.
I’d be grateful for any help or hints.
Kind Regards,
Patryk