Keycloak integration breaks on mixed https/http setup

[jscheytt]

Hi everyone,

we are trying to run Apicurio Studio in Docker Swarm together with Traefik. We have managed to get everything up and running (apart from having to expose Websockets through a node port instead of DNS) but the Keycloak integration is still problematic.

These are our steps for reproduction:

1. Open Apicurio UI
2. This redirects to Keycloak
   • The parameter redirect_uri in the URL is the https URL - this is already wrong to begin with
3. Enter correct user credentials
4. This redirects to Apicurio UI with https
   • This fails (404) because only an http route is set up

I would have expected the redirect_uri to be http.

This is how we currently work around this bug:

1. Edit the URL from step 4 manually from https to http
2. This redirects once more to a Apicurio UI URL with https
3. Edit this URL again from https to http
4. Now the Apicurio UI Dashboard opens
5. All other navigation after this stays on http

Comparison

We have another Docker Stack on another, similar machine. This stack works including Keycloak integration. We have diffed the Docker Stack manifests, and the only difference between the working stack and the broken stack (as described above) is that Keycloak runs on https.

For me, this feels a lot like Apicurio UI somewhere redefines its own URL to https when the Keycloak URL is https.

Keycloak Configuration

• The realm settings: Require SSL is set to "none"
• The client settings: We had to add both the http and the https URL as valid redirect URIs, otherwise we could not arrive at the above situation because of invalid_redirect_uri

Docker Service

The following is the Apicurio UI service we currently deploy. All URLs have been anonymized.

services:
  apicurio-ui:
    image: apicurio/apicurio-studio-ui:0.2.58.Final
    depends_on:
      - apicurio-api
      - apicurio-websockets
    networks:
      - internal
      - network_traefik
    dns:
      - 10.1.1.11
    volumes:
      - /etc/localtime:/etc/localtime:ro
      # This contains the Keycloak certificate
      - /opt/docker/apicurio/certs/truststore.jks:/trust/truststore.jks:ro
    environment:
      JAVA_TOOL_OPTIONS: >-
        -Dhttp.nonProxyHosts="localhost|127.*|[::1]|.company.tld|*.company.tld|10.1.43.10|apicurio-database"
        -Dhttp.proxyHost=10.2.15.20
        -Dhttp.proxyPort=8080 -Dhttps.proxyHost=10.2.15.20
        -Dhttps.proxyPort=8080
        -Djava.net.preferIPv4Stack=true
        -Djavax.net.ssl.trustStore=/trust/truststore.jks
      APICURIO_KC_CLIENT_ID: apicurio-studio
      APICURIO_KC_AUTH_URL: https://keycloak.company.tld/auth
      APICURIO_KC_REALM: production
      APICURIO_LOGGING_LEVEL: DEBUG
      APICURIO_UI_HUB_API_URL: http://api.apicurio.company.tld
      APICURIO_UI_EDITING_URL: ws://10.1.43.10:9001
      APICURIO_UI_FEATURE_MICROCKS: "false"
      APICURIO_UI_FEATURE_SHARE_WITH_EVERYONE: "false"
      APICURIO_UI_LOGOUT_REDIRECT_URI: /
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=network_traefik
        - traefik.constraint-label=traefik-enabled
        - traefik.http.routers.apicurio-ui.rule=Host(`apicurio.company.tld`)
        - traefik.http.routers.apicurio-ui.entrypoints=web
        - traefik.http.services.apicurio-ui.loadbalancer.server.port=8080

Full Docker Stack

For reference, I am also posting the entire Docker Stack here. The only changes I have made to this:

• anonymized URLs
• most secrets removed
• Microcks removed (is deployed in the same stack but not integrated with Apicurio yet)

Full Manifest

version: "3.9"
services:
  apicurio-ui:
    image: apicurio/apicurio-studio-ui:0.2.58.Final
    depends_on:
      - apicurio-api
      - apicurio-websockets
    networks:
      - internal
      - network_traefik
    dns:
      - 10.1.1.11
    volumes:
      - /etc/localtime:/etc/localtime:ro
      # This contains the Keycloak certificate
      - /opt/docker/apicurio/certs/truststore.jks:/trust/truststore.jks:ro
    environment:
      JAVA_TOOL_OPTIONS: >-
        -Dhttp.nonProxyHosts="localhost|127.*|[::1]|.company.tld|*.company.tld|10.1.43.10|apicurio-database"
        -Dhttp.proxyHost=10.2.15.20
        -Dhttp.proxyPort=8080 -Dhttps.proxyHost=10.2.15.20
        -Dhttps.proxyPort=8080
        -Djava.net.preferIPv4Stack=true
        -Djavax.net.ssl.trustStore=/trust/truststore.jks
      APICURIO_KC_CLIENT_ID: apicurio-studio
      APICURIO_KC_AUTH_URL: https://keycloak.company.tld/auth
      APICURIO_KC_REALM: production
      APICURIO_LOGGING_LEVEL: DEBUG
      APICURIO_UI_HUB_API_URL: http://api.apicurio.company.tld
      APICURIO_UI_EDITING_URL: ws://10.1.43.10:9001
      APICURIO_UI_FEATURE_MICROCKS: "false"
      APICURIO_UI_FEATURE_SHARE_WITH_EVERYONE: "false"
      APICURIO_UI_LOGOUT_REDIRECT_URI: /
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=network_traefik
        - traefik.constraint-label=traefik-enabled
        - traefik.http.routers.apicurio-ui.rule=Host(`apicurio.company.tld`)
        - traefik.http.routers.apicurio-ui.entrypoints=web
        - traefik.http.services.apicurio-ui.loadbalancer.server.port=8080
  apicurio-api:
    image: apicurio/apicurio-studio-api:0.2.58.Final
    depends_on:
      - apicurio-database
    networks:
      - internal
      - network_traefik
    dns:
      - 10.1.1.11
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/apicurio/certs/truststore.jks:/trust/truststore.jks:ro
    environment:
      JAVA_TOOL_OPTIONS: >-
        -Dhttp.nonProxyHosts="localhost|127.*|[::1]|.company.tld|*.company.tld|10.1.43.10|apicurio-database"
        -Dhttp.proxyHost=10.2.15.20
        -Dhttp.proxyPort=8080
        -Dhttps.proxyHost=10.2.15.20
        -Dhttps.proxyPort=8080
        -Djava.net.preferIPv4Stack=true
        -Djavax.net.ssl.trustStore=/trust/truststore.jks
      APICURIO_KC_AUTH_URL: https://keycloak.company.tld/auth
      APICURIO_KC_CLIENT_ID: apicurio-api
      APICURIO_KC_REALM: production
      APICURIO_KC_SSL_REQUIRED: "false"
      APICURIO_LOGGING_LEVEL: DEBUG
      APICURIO_DB_TYPE: postgresql9
      APICURIO_HUB_STORAGE_JDBC_TYPE: postgresql9
      APICURIO_DB_DRIVER_NAME: postgresql
      APICURIO_DB_CONNECTION_URL: jdbc:postgresql://apicurio-database/apicuriodb
      APICURIO_DB_USER_NAME: apicurio
      APICURIO_DB_PASSWORD: Test123!
      APICURIO_DB_INITIALIZE: "true"
      APICURIO_SHARE_FOR_EVERYONE: "false"
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=network_traefik
        - traefik.constraint-label=traefik-enabled
        - traefik.http.routers.apicurio-api.rule=Host(`api.apicurio.company.tld`)
        - traefik.http.routers.apicurio-api.entrypoints=web
        - traefik.http.services.apicurio-api.loadbalancer.server.port=8080
  apicurio-websockets:
    image: apicurio/apicurio-studio-ws:0.2.58.Final
    depends_on:
      - apicurio-database
    ports:
      # Traefik somehow breaks the websockets communication. As a workaround,
      # we are exposing this Node Port directly and connect via IP + Port.
      # See also above at .services.apicurio-ui.environment.APICURIO_UI_EDITING_URL
      - 9001:8080
    networks:
      - internal
    dns:
      - 10.1.1.11
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/docker/apicurio/certs/truststore.jks:/trust/truststore.jks:ro
    environment:
      JAVA_TOOL_OPTIONS: >-
        -Dhttp.nonProxyHosts="localhost|127.*|[::1]|.company.tld|*.company.tld|10.1.43.10|apicurio-database"
        -Dhttp.proxyHost=10.2.15.20
        -Dhttp.proxyPort=8080 -Dhttps.proxyHost=10.2.15.20
        -Dhttps.proxyPort=8080
        -Djava.net.preferIPv4Stack=true
        -Djavax.net.ssl.trustStore=/trust/truststore.jks
      APICURIO_KC_CLIENT_ID: apicurio-studio
      APICURIO_KC_AUTH_URL: https://keycloak.company.tld/auth
      APICURIO_KC_REALM: production
      APICURIO_KC_SSL_REQUIRED: "true"
      APICURIO_LOGGING_LEVEL: DEBUG
      APICURIO_DB_TYPE: postgresql9
      APICURIO_HUB_STORAGE_JDBC_TYPE: postgresql9
      APICURIO_DB_DRIVER_NAME: postgresql
      APICURIO_DB_CONNECTION_URL: jdbc:postgresql://apicurio-database/apicuriodb
      APICURIO_DB_USER_NAME: apicurio
      APICURIO_DB_PASSWORD: Test123!
      APICURIO_DB_INITIALIZE: "false"
      APICURIO_SHARE_FOR_EVERYONE: "false"
  apicurio-database:
    image: postgres:14.5
    environment:
      POSTGRES_DB: apicuriodb
      POSTGRES_USER: apicurio
      POSTGRES_PASSWORD: Test123!
    command:
      - postgres
      - -c
      - log_statement=all
      - -c
      - log_destination=stderr
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - apicurio-database:/var/lib/postgresql/data
    networks:
      - internal
volumes:
  apicurio-database:
networks:
  network_traefik:
    external: true
  internal:

Possibly related issues

#2003

[GeneralLuzi]

Hello @carlesarnal,
any news on that topic?
THX !

[carlesarnal]

No sorry, I haven't looked into this yet. Setting this kind of setup is always tricky, especially from a Keycloak POV. I'll update the issue as soon as I can.

[jscheytt]

Thanks for looking into this @carlesarnal! Let me know if I can assist with more details or maybe a synchronous call for screen sharing

[syalioune]

Hello, I've just had a similar issue which I resolved by setting env variable APICURIO_OIDC_REDIRECT_HTTPS to false for apicurio-studio-ui container

[carlesarnal]

Hi!
I completely forget about this issue, sorry. Yes, setting that environment variable should help but please note that for that to work you must use the Quarkus-based version of Studio (which btw is now the default one when you download our latest release).

Thanks for sharing your experience @syalioune

[jscheytt]

Setting this variable also fixed the issue on our end. Thanks a lot @syalioune!

[syalioune]

Thanks for sharing your experience @syalioune

No pb 👍 ! @carlesarnal would you be interested in a PR that set a sound default value for the different deployment method (compose, helm,...) ?

[EricWittmann]

For sure! Thanks @syalioune