Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error Status code: 403 with keycloak #62

Closed
shizidushu opened this issue May 30, 2018 · 6 comments
Closed

Error Status code: 403 with keycloak #62

shizidushu opened this issue May 30, 2018 · 6 comments
Labels
bug

Comments

@shizidushu
Copy link

I previously ask a question in community support. Now I guess it may be a bug so put it here with more details

shiny:
  proxy:
    port: 8080
    authentication: keycloak
    admin-groups: admins
    keycloak:
      realm: 'shinyproxy'
      auth-server-url: 'http://***.***.***.**:8180/auth'
      resource: 'shinyapps'
      credentials-secret: *****************
    docker:
      internal-networking: true
  apps:
   - name: 001_hello
     display-name: Hello Application
     description: Application which demonstrates the basics of a Shiny app
     docker-cmd: ["R", "-e", "shiny::runApp('/root/shinyapps/001-hello')"]
     docker-image: shizidushu/shinyproxy-apps-in-use:latest
     docker-network: net-overlay
   - name: text
     display-name: text
     description: Application which demonstrates the basics of a Shiny app
     docker-cmd: ["R", "-e", "shiny::runApp('/root/shinyapps/002-text')"]
     docker-image: shizidushu/shinyproxy-apps-in-use:latest
     docker-network: net-overlay

logging:
  file:
    shinyproxy.log

I run Shinyproxy(1.1.1) in container. And it works well with simple authentication.

When I open http://...:8080/, it automatically redirect to http://...:8080/sso/login and then returns error.

It displays:

Error

Status code: 403

Message:

Stack Trace:

I check the network in browser, it show it first send a GET request to http://...:8080/auth with 302 returned then it send a GET request to http://...:8080/sso/login with 403 returned.

And when I try to open http://..*.:8080/login directly in browser and log in, it returns 405 error.
@fmichielssen
Copy link
Member

Hi @shizidushu ,

The expexted behaviour is this:

/ -> 302 redirect /sso/login

/sso/login -> 302 redirect http://your-keycloak-server/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=...

If you are getting a 403 instead of the second redirect, there may be an issue with the keycloak settings.
Can you please enable logging for keycloak like this?

logging:
  level:
    org.keycloak: debug

And then observe the output of shinyproxy. It should list logging similar to this:

2018-05-31 11:50:28.830 DEBUG 14052 --- [  XNIO-2 task-2] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8080/sso/login
2018-05-31 11:50:28.831 DEBUG 14052 --- [  XNIO-2 task-2] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2018-05-31 11:50:28.831 DEBUG 14052 --- [  XNIO-2 task-2] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2018-05-31 11:50:28.851 DEBUG 14052 --- [  XNIO-2 task-2] o.k.a.s.token.SpringSecurityTokenStore   : Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@47dbe476 is cached
2018-05-31 11:50:28.853 DEBUG 14052 --- [  XNIO-2 task-2] o.k.adapters.OAuthRequestAuthenticator   : there was no code
2018-05-31 11:50:28.854 DEBUG 14052 --- [  XNIO-2 task-2] o.k.adapters.OAuthRequestAuthenticator   : redirecting to auth server
2018-05-31 11:50:28.855 DEBUG 14052 --- [  XNIO-2 task-2] o.k.adapters.OAuthRequestAuthenticator   : callback uri: http://localhost:8080/sso/login
2018-05-31 11:50:28.860 DEBUG 14052 --- [  XNIO-2 task-2] f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
2018-05-31 11:50:28.861 DEBUG 14052 --- [  XNIO-2 task-2] o.k.adapters.OAuthRequestAuthenticator   : Sending redirect to login page: http://localhost:8081/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=shinyproxy&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsso%2Flogin&state=d391a0a1-38ca-4cd8-8d4f-1a1973219f79&login=true&scope=openid

@shizidushu
Copy link
Author

shizidushu commented May 31, 2018
edited 

2018-05-31 12:00:42.553  INFO 1 --- [           main] e.o.shinyproxy.ShinyProxyApplication     : Starting ShinyProxyApplication v1.1.1 on c44bce19bb61 with PID 1 (/opt/shinyproxy/shinyproxy.jar started by root in /opt/shinyproxy)
2018-05-31 12:00:42.568  INFO 1 --- [           main] e.o.shinyproxy.ShinyProxyApplication     : No active profile set, falling back to default profiles: default
2018-05-31 12:00:43.345  INFO 1 --- [           main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@5d22bbb7: startup date [Thu May 31 12:00:43 UTC 2018]; root of context hierarchy
2018-05-31 12:00:45.284  INFO 1 --- [           main] f.a.AutowiredAnnotationBeanPostProcessor : JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
2018-05-31 12:00:45.771  INFO 1 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$25a3194a] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2018-05-31 12:00:46.927 DEBUG 1 --- [           main] o.k.a.undertow.KeycloakServletExtension  : auth-method is not keycloak!
2018-05-31 12:00:46.952  INFO 1 --- [           main] org.xnio                                 : XNIO version 3.3.6.Final
2018-05-31 12:00:46.980  INFO 1 --- [           main] org.xnio.nio                             : XNIO NIO Implementation Version 3.3.6.Final
2018-05-31 12:00:47.104  WARN 1 --- [           main] io.undertow.websockets.jsr               : UT026009: XNIO worker was not set on WebSocketDeploymentInfo, the default worker will be used
2018-05-31 12:00:47.105  WARN 1 --- [           main] io.undertow.websockets.jsr               : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used
2018-05-31 12:00:47.145  INFO 1 --- [           main] io.undertow.servlet                      : Initializing Spring embedded WebApplicationContext
2018-05-31 12:00:47.146  INFO 1 --- [           main] o.s.web.context.ContextLoader            : Root WebApplicationContext: initialization completed in 3813 ms
2018-05-31 12:00:47.938 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Using provider 'secret' for authentication of client 'shinyapps'
2018-05-31 12:00:47.942 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-31 12:00:47.944 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-31 12:00:47.947 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-31 12:00:47.948 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-31 12:00:48.000 DEBUG 1 --- [           main] o.keycloak.adapters.KeycloakDeployment   : resolveUrls
2018-05-31 12:00:48.008 DEBUG 1 --- [           main] o.k.adapters.KeycloakDeploymentBuilder   : Use authServerUrl: http://remote_ip_address:8180/auth, tokenUrl: http://remote_ip_address:8180/auth/realms/shinyproxy/protocol/openid-connect/token, relativeUrls: NEVER
2018-05-31 12:00:48.182  INFO 1 --- [           main] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'characterEncodingFilter' to: [/*]
2018-05-31 12:00:48.186  INFO 1 --- [           main] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
2018-05-31 12:00:48.187  INFO 1 --- [           main] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'httpPutFormContentFilter' to: [/*]
2018-05-31 12:00:48.188  INFO 1 --- [           main] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'requestContextFilter' to: [/*]
2018-05-31 12:00:48.190  INFO 1 --- [           main] .s.DelegatingFilterProxyRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2018-05-31 12:00:48.191  INFO 1 --- [           main] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'keycloakAuthenticationProcessingFilter' to: [/*]
2018-05-31 12:00:48.192  INFO 1 --- [           main] o.s.b.w.servlet.FilterRegistrationBean   : Mapping filter: 'keycloakPreAuthActionsFilter' to: [/*]
2018-05-31 12:00:48.193  INFO 1 --- [           main] o.s.b.w.servlet.ServletRegistrationBean  : Mapping servlet: 'dispatcherServlet' to [/]
2018-05-31 12:00:48.351  INFO 1 --- [           main] e.o.s.stats.StatCollectorRegistry        : Disabled. Usage statistics will not be processed.
2018-05-31 12:00:48.876  INFO 1 --- [           main] o.s.j.d.e.EmbeddedDatabaseFactory        : Starting embedded database: url='jdbc:h2:mem:shinyproxy-social;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=false', username='sa'
2018-05-31 12:00:49.335  INFO 1 --- [           main] o.s.jdbc.datasource.init.ScriptUtils     : Executing SQL script from class path resource [org/springframework/social/connect/jdbc/JdbcUsersConnectionRepository.sql]
2018-05-31 12:00:49.355  INFO 1 --- [           main] o.s.jdbc.datasource.init.ScriptUtils     : Executed SQL script from class path resource [org/springframework/social/connect/jdbc/JdbcUsersConnectionRepository.sql] in 19 ms.
2018-05-31 12:00:49.639 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Using provider 'secret' for authentication of client 'shinyapps'
2018-05-31 12:00:49.642 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-31 12:00:49.643 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-31 12:00:49.647 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-31 12:00:49.647 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-31 12:00:49.654 DEBUG 1 --- [           main] o.keycloak.adapters.KeycloakDeployment   : resolveUrls
2018-05-31 12:00:49.656 DEBUG 1 --- [           main] o.k.adapters.KeycloakDeploymentBuilder   : Use authServerUrl: http://remote_ip_address:8180/auth, tokenUrl: http://remote_ip_address:8180/auth/realms/shinyproxy/protocol/openid-connect/token, relativeUrls: NEVER
2018-05-31 12:00:49.657 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Using provider 'secret' for authentication of client 'shinyapps'
2018-05-31 12:00:49.659 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-31 12:00:49.660 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-31 12:00:49.662 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-31 12:00:49.663 DEBUG 1 --- [           main] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-31 12:00:49.669 DEBUG 1 --- [           main] o.keycloak.adapters.KeycloakDeployment   : resolveUrls
2018-05-31 12:00:49.670 DEBUG 1 --- [           main] o.k.adapters.KeycloakDeploymentBuilder   : Use authServerUrl: http://remote_ip_address:8180/auth, tokenUrl: http://remote_ip_address:8180/auth/realms/shinyproxy/protocol/openid-connect/token, relativeUrls: NEVER
2018-05-31 12:00:49.672  INFO 1 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/css/**'], []
2018-05-31 12:00:49.672  INFO 1 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/webjars/**'], []
2018-05-31 12:00:49.789  INFO 1 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@a3d8174, org.springframework.security.web.context.SecurityContextPersistenceFilter@65f095f8, org.springframework.security.web.header.HeaderWriterFilter@68c72235, org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter@1ba9117e, org.springframework.security.web.authentication.logout.LogoutFilter@2cd2a21f, org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter@732c2a62, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3e6ef8ad, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@747edf66, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@272ed83b, org.springframework.security.web.session.SessionManagementFilter@3a6bb9bf, org.springframework.security.web.access.ExceptionTranslationFilter@61386958, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@2f8dad04]
2018-05-31 12:00:50.013  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerAdapter : Looking for @ControllerAdvice: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@5d22bbb7: startup date [Thu May 31 12:00:43 UTC 2018]; root of context hierarchy
2018-05-31 12:00:50.134  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error]}" onto java.lang.String eu.openanalytics.shinyproxy.controllers.ErrorController.handleError(org.springframework.ui.ModelMap,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
2018-05-31 12:00:50.136  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/heartbeat/**]}" onto void eu.openanalytics.shinyproxy.controllers.HeartbeatController.heartbeat(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
2018-05-31 12:00:50.137  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/]}" onto java.lang.String eu.openanalytics.shinyproxy.controllers.IndexController.index(org.springframework.ui.ModelMap,javax.servlet.http.HttpServletRequest)
2018-05-31 12:00:50.138  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/issue],methods=[POST]}" onto public java.lang.String eu.openanalytics.shinyproxy.controllers.IssueController.postIssue(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
2018-05-31 12:00:50.139  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/admin]}" onto java.lang.String eu.openanalytics.shinyproxy.controllers.AdminController.admin(org.springframework.ui.ModelMap,javax.servlet.http.HttpServletRequest)
2018-05-31 12:00:50.140  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/login],methods=[GET]}" onto public java.lang.String eu.openanalytics.shinyproxy.controllers.LoginController.getLoginPage(java.util.Optional<java.lang.String>,org.springframework.ui.ModelMap,javax.servlet.http.HttpServletRequest)
2018-05-31 12:00:50.141  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/app/*],methods=[GET]}" onto java.lang.String eu.openanalytics.shinyproxy.controllers.AppController.app(org.springframework.ui.ModelMap,javax.servlet.http.HttpServletRequest)
2018-05-31 12:00:50.141  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/app/*],methods=[POST]}" onto java.lang.String eu.openanalytics.shinyproxy.controllers.AppController.startApp(javax.servlet.http.HttpServletRequest)
2018-05-31 12:00:50.162  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect/{providerId}/{providerUserId}],methods=[DELETE]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.removeConnection(java.lang.String,java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.163  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect/{providerId}],methods=[GET],params=[error]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.oauth2ErrorCallback(java.lang.String,java.lang.String,java.lang.String,java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.163  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect/{providerId}],methods=[GET]}" onto public java.lang.String org.springframework.social.connect.web.ConnectController.connectionStatus(java.lang.String,org.springframework.web.context.request.NativeWebRequest,org.springframework.ui.Model)
2018-05-31 12:00:50.164  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect],methods=[GET]}" onto public java.lang.String org.springframework.social.connect.web.ConnectController.connectionStatus(org.springframework.web.context.request.NativeWebRequest,org.springframework.ui.Model)
2018-05-31 12:00:50.164  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect/{providerId}],methods=[GET],params=[code]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.oauth2Callback(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.165  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect/{providerId}],methods=[GET],params=[oauth_token]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.oauth1Callback(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.165  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect/{providerId}],methods=[DELETE]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.removeConnections(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.166  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/connect/{providerId}],methods=[POST]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ConnectController.connect(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.170  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/signin/{providerId}],methods=[GET],params=[error]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ProviderSignInController.oauth2ErrorCallback(java.lang.String,java.lang.String,java.lang.String,java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.170  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/signin/{providerId}],methods=[GET],params=[code]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ProviderSignInController.oauth2Callback(java.lang.String,java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.171  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/signin/{providerId}],methods=[GET],params=[oauth_token]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ProviderSignInController.oauth1Callback(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.172  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/signin/{providerId}],methods=[POST]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ProviderSignInController.signIn(java.lang.String,org.springframework.web.context.request.NativeWebRequest)
2018-05-31 12:00:50.173  INFO 1 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/signin/{providerId}],methods=[GET]}" onto public org.springframework.web.servlet.view.RedirectView org.springframework.social.connect.web.ProviderSignInController.canceledAuthorizationCallback()
2018-05-31 12:00:50.345  INFO 1 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2018-05-31 12:00:50.346  INFO 1 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2018-05-31 12:00:50.480  INFO 1 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2018-05-31 12:00:51.148  INFO 1 --- [           main] o.s.l.c.support.AbstractContextSource    : Property 'userDn' not set - anonymous context will be used for read-write operations
2018-05-31 12:00:51.414  INFO 1 --- [           main] o.s.j.e.a.AnnotationMBeanExporter        : Registering beans for JMX exposure on startup
2018-05-31 12:00:51.505  INFO 1 --- [           main] b.c.e.u.UndertowEmbeddedServletContainer : Undertow started on port(s) 8080 (http)
2018-05-31 12:00:51.511  INFO 1 --- [           main] e.o.shinyproxy.ShinyProxyApplication     : Started ShinyProxyApplication in 9.948 seconds (JVM running for 10.874)

Above is the shinyproxy log when start.

Here is when I open browser:

2018-05-31 12:09:08.171 DEBUG 1 --- [  XNIO-2 task-1] o.k.adapters.PreAuthActionsHandler       : adminRequest http://remote_ip_address:8080/
2018-05-31 12:09:08.197 DEBUG 1 --- [  XNIO-2 task-1] o.k.a.s.management.HttpSessionManager    : Session created: 0z-gpoKvTsn04Dqu4gJIrfHPk82ZZmY2hl4yXTwW
2018-05-31 12:09:08.200 DEBUG 1 --- [  XNIO-2 task-1] k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI /sso/login
2018-05-31 12:09:08.261 DEBUG 1 --- [  XNIO-2 task-2] o.k.adapters.PreAuthActionsHandler       : adminRequest http://remote_ip_address:8080/sso/login
2018-05-31 12:09:08.262 DEBUG 1 --- [  XNIO-2 task-2] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2018-05-31 12:09:08.262 DEBUG 1 --- [  XNIO-2 task-2] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2018-05-31 12:09:08.274 DEBUG 1 --- [  XNIO-2 task-2] o.k.a.s.token.SpringSecurityTokenStore   : Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator@af81e2b is cached
2018-05-31 12:09:08.276 DEBUG 1 --- [  XNIO-2 task-2] o.k.adapters.OAuthRequestAuthenticator   : there was no code
2018-05-31 12:09:08.276 DEBUG 1 --- [  XNIO-2 task-2] o.k.adapters.OAuthRequestAuthenticator   : redirecting to auth server
2018-05-31 12:09:08.277 DEBUG 1 --- [  XNIO-2 task-2] o.k.adapters.OAuthRequestAuthenticator   : callback uri: http://remote_ip_address:8080/sso/login
2018-05-31 12:09:08.279 DEBUG 1 --- [  XNIO-2 task-2] f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
2018-05-31 12:09:08.286  INFO 1 --- [  XNIO-2 task-2] io.undertow.servlet                      : Initializing Spring FrameworkServlet 'dispatcherServlet'
2018-05-31 12:09:08.286  INFO 1 --- [  XNIO-2 task-2] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2018-05-31 12:09:08.314  INFO 1 --- [  XNIO-2 task-2] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 27 ms

Below is Keycloak OIDC JSON

{
  "realm": "shinyproxy",
  "auth-server-url": "http://remote_ip_address:8180/auth",
  "ssl-required": "none",
  "resource": "shinyapps",
  "credentials": {
    "secret": "39e***039-94b1-4e94-95b0-86*********"
  },
  "confidential-port": 0,
  "policy-enforcer": {}
}

Besides, I use jboss/keycloak image to run keycloak

@shizidushu
Copy link
Author

@fmichielssen Any suggestion to fix this issue?

@fmichielssen
Copy link
Member

Hi @shizidushu ,

Upon closer inspection, this looks like a bug indeed. ShinyProxy currently has no setting for ssl-required, and will default to EXTERNAL. This causes the 403 error because the keycloak URL is an external address for ShinyProxy and thus will require ssl.

@tverbeke
Copy link
Member

tverbeke commented Aug 3, 2018

ShinyProxy 2.0.1 supports setting the SSL/HTTPS modes in the Keycloak back-end for single sign-on (proxy.keycloak.ssl-required); it can be one of none, all or external (default).

@tverbeke tverbeke closed this as completed Aug 3, 2018
@shizidushu
Copy link
Author

Thank you very much. Now it shows the login page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fmichielssen @tverbeke @shizidushu