ibuetler/docker-keycloak-traefik-workshop

Keycloak gatekeeper part - logs: unable to exchange code for access token

thepenguinthatwants opened this issue · 3 comments

thepenguinthatwants commented

Does it need to run on https or self signed https to work?

I was trying this on my localhost and own traefik services run on http instead of https in mind of simplyfying testing.

from traefik dashboard I could go to keycloak by

https://192.168.16.6:8443/auth/

If I tried by auth.localhost I get
Internal Server Error

I've defined this on my labels on docker-compose.yml file.

- traefik.frontend.rule=Host:auth.localhost

thepenguinthatwants commented

So thats the case.

I actually did all the steps but for some reasons when I try ttyd.idocker.hacking-lab.com from my browser I see nothing just a empty page.


keycloak-gatekeeper_1  | 1.563097944883696e+09  info    starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "v2.3.0 (git+sha: f46123c-dirty, built: 10-04-2019)"}
keycloak-gatekeeper_1  | 1.5630979448838518e+09 info    attempting to retrieve configuration discovery url      {"url": "https://auth.idocker.hacking-lab.com/auth/realms/master", "timeout": "30s"}
keycloak-gatekeeper_1  | 1.5630979449334893e+09 info    successfully retrieved openid configuration from the discovery
keycloak-gatekeeper_1  | 1.5630979449419496e+09 info    enabled reverse proxy mode, upstream url        {"url": "http://ttyd:7681/"}
keycloak-gatekeeper_1  | 1.5630979449420738e+09 info    using session cookies only for access and refresh tokens
keycloak-gatekeeper_1  | 1.563097944942098e+09  info    protecting resource     {"resource": "uri: /*, methods: GET, required: authentication only"}
keycloak-gatekeeper_1  | 1.5630979449421566e+09 info    protecting resource     {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:prod-vpn"}
keycloak-gatekeeper_1  | 1.563097944942382e+09  info    protecting resource     {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:commons-prod-vpn"}
keycloak-gatekeeper_1  | 1.5630979449428468e+09 info    keycloak proxy service starting {"interface": ":3000"}
keycloak-gatekeeper_1  | 1.563097950496966e+09  info    starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "v2.3.0 (git+sha: f46123c-dirty, built: 10-04-2019)"}
keycloak-gatekeeper_1  | 1.5630979504971445e+09 info    attempting to retrieve configuration discovery url      {"url": "https://auth.idocker.hacking-lab.com/auth/realms/master", "timeout": "30s"}
keycloak-gatekeeper_1  | 1.5630979505100758e+09 info    successfully retrieved openid configuration from the discovery
keycloak-gatekeeper_1  | 1.5630979505166738e+09 info    enabled reverse proxy mode, upstream url        {"url": "http://ttyd:7681/"}
keycloak-gatekeeper_1  | 1.5630979505167863e+09 info    using session cookies only for access and refresh tokens
keycloak-gatekeeper_1  | 1.563097950516841e+09  info    protecting resource     {"resource": "uri: /*, methods: GET, required: authentication only"}
keycloak-gatekeeper_1  | 1.5630979505169065e+09 info    protecting resource     {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:prod-vpn"}
keycloak-gatekeeper_1  | 1.56309795051692e+09   info    protecting resource     {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:commons-prod-vpn"}
keycloak-gatekeeper_1  | 1.5630979505171294e+09 info    keycloak proxy service starting {"interface": ":3000"}
keycloak-gatekeeper_1  | 1.5630980393254428e+09 error   no session found in request, redirecting for authorization      {"error": "authentication session not found"}
keycloak-gatekeeper_1  | 1.563098039575422e+09  error   unable to verify the id token   {"error": "oidc: JWT claims invalid: invalid claims, cannot find 'client_id' in 'aud' claim, aud=[master-realm account], client_id=ttyd"}
keycloak-gatekeeper_1  | 1.56309804227599e+09   error   unable to exchange code for access token        {"error": "invalid_grant: Code not valid"}
keycloak-gatekeeper_1  | 1.5630980447973506e+09 error   unable to exchange code for access token        {"error": "invalid_grant: Code not valid"}

The secret associated to the 'client' application should be right.

I am also wondering whats the reason to separate those images to different networks?
transit_idp and transit_ttyd what problems would occur if one uses only one network for all that?

Othewise thanks a lot for this repo. Got the keycloak management to open up and learn more about it.

ibuetler commented

If you use keycloak in http mode, may this violates the cookie flags (secure). You can share the same network if you like. But I prefer to have them seperated. traefik must know all docker networks, but a user residing in the ttyd docker network should not be able to access keycloak directly. That's why.

andersonDadario commented

To fix the token exchange, please see the solution here: #11

If you want to use keycloak in http mode, you need to add the following config to your Keycloak Gate Keeper:

# make sure to use this config ONLY for DEVELOPMENT / TESTING purposes
# to avoid "the cookie is set to secure but your redirection url is non-tls"
# src https://github.com/keycloak/keycloak-gatekeeper/blob/9c5c77dad799f5c4cf78e0a0650f327819e9190c/doc.go#L264
secure-cookie: false