Keycloak gatekeeper part - logs: unable to exchange code for access token
thepenguinthatwants opened this issue · 3 comments
Does it need to run on https or self signed https to work?
I was trying this on my localhost and own traefik services run on http instead of https in mind of simplyfying testing.
from traefik dashboard I could go to keycloak by
https://192.168.16.6:8443/auth/
If I tried by auth.localhost I get
Internal Server Error
I've defined this on my labels on docker-compose.yml file.
- traefik.frontend.rule=Host:auth.localhost
So thats the case.
I actually did all the steps but for some reasons when I try ttyd.idocker.hacking-lab.com from my browser I see nothing just a empty page.
keycloak-gatekeeper_1 | 1.563097944883696e+09 info starting the service {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "v2.3.0 (git+sha: f46123c-dirty, built: 10-04-2019)"}
keycloak-gatekeeper_1 | 1.5630979448838518e+09 info attempting to retrieve configuration discovery url {"url": "https://auth.idocker.hacking-lab.com/auth/realms/master", "timeout": "30s"}
keycloak-gatekeeper_1 | 1.5630979449334893e+09 info successfully retrieved openid configuration from the discovery
keycloak-gatekeeper_1 | 1.5630979449419496e+09 info enabled reverse proxy mode, upstream url {"url": "http://ttyd:7681/"}
keycloak-gatekeeper_1 | 1.5630979449420738e+09 info using session cookies only for access and refresh tokens
keycloak-gatekeeper_1 | 1.563097944942098e+09 info protecting resource {"resource": "uri: /*, methods: GET, required: authentication only"}
keycloak-gatekeeper_1 | 1.5630979449421566e+09 info protecting resource {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:prod-vpn"}
keycloak-gatekeeper_1 | 1.563097944942382e+09 info protecting resource {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:commons-prod-vpn"}
keycloak-gatekeeper_1 | 1.5630979449428468e+09 info keycloak proxy service starting {"interface": ":3000"}
keycloak-gatekeeper_1 | 1.563097950496966e+09 info starting the service {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "v2.3.0 (git+sha: f46123c-dirty, built: 10-04-2019)"}
keycloak-gatekeeper_1 | 1.5630979504971445e+09 info attempting to retrieve configuration discovery url {"url": "https://auth.idocker.hacking-lab.com/auth/realms/master", "timeout": "30s"}
keycloak-gatekeeper_1 | 1.5630979505100758e+09 info successfully retrieved openid configuration from the discovery
keycloak-gatekeeper_1 | 1.5630979505166738e+09 info enabled reverse proxy mode, upstream url {"url": "http://ttyd:7681/"}
keycloak-gatekeeper_1 | 1.5630979505167863e+09 info using session cookies only for access and refresh tokens
keycloak-gatekeeper_1 | 1.563097950516841e+09 info protecting resource {"resource": "uri: /*, methods: GET, required: authentication only"}
keycloak-gatekeeper_1 | 1.5630979505169065e+09 info protecting resource {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:prod-vpn"}
keycloak-gatekeeper_1 | 1.56309795051692e+09 info protecting resource {"resource": "uri: /admin/*, methods: GET, required: openvpn:vpn-user,openvpn:commons-prod-vpn"}
keycloak-gatekeeper_1 | 1.5630979505171294e+09 info keycloak proxy service starting {"interface": ":3000"}
keycloak-gatekeeper_1 | 1.5630980393254428e+09 error no session found in request, redirecting for authorization {"error": "authentication session not found"}
keycloak-gatekeeper_1 | 1.563098039575422e+09 error unable to verify the id token {"error": "oidc: JWT claims invalid: invalid claims, cannot find 'client_id' in 'aud' claim, aud=[master-realm account], client_id=ttyd"}
keycloak-gatekeeper_1 | 1.56309804227599e+09 error unable to exchange code for access token {"error": "invalid_grant: Code not valid"}
keycloak-gatekeeper_1 | 1.5630980447973506e+09 error unable to exchange code for access token {"error": "invalid_grant: Code not valid"}
The secret associated to the 'client' application should be right.
I am also wondering whats the reason to separate those images to different networks?
transit_idp and transit_ttyd what problems would occur if one uses only one network for all that?
Othewise thanks a lot for this repo. Got the keycloak management to open up and learn more about it.
If you use keycloak in http mode, may this violates the cookie flags (secure). You can share the same network if you like. But I prefer to have them seperated. traefik must know all docker networks, but a user residing in the ttyd docker network should not be able to access keycloak directly. That's why.
To fix the token exchange, please see the solution here: #11
If you want to use keycloak in http mode, you need to add the following config to your Keycloak Gate Keeper:
# make sure to use this config ONLY for DEVELOPMENT / TESTING purposes
# to avoid "the cookie is set to secure but your redirection url is non-tls"
# src https://github.com/keycloak/keycloak-gatekeeper/blob/9c5c77dad799f5c4cf78e0a0650f327819e9190c/doc.go#L264
secure-cookie: false