keycloak's access token is validated as github access token by oauth2 #8505

htdat148 · 2021-09-29T14:57:45Z

htdat148
Sep 29, 2021

I have some microservices that need to be protected with authentication. So that I used OAuth2 + Keycloak. You can find the detailed configurations.

  keycloak:
    image: quay.io/keycloak/keycloak:15.0.2
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.keycloak.rule=Host(`keycloak.my-domain.com`)"
        - "traefik.http.routers.keycloak.entrypoints=websecure"
        - "traefik.http.routers.keycloak.tls=true"
        - "traefik.http.routers.keycloak.tls.certresolver=leresolver"
        # Set up service
        - "traefik.http.routers.keycloak.service=keycloak-svc"
        - "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
    environment:
      - "DB_VENDOR=POSTGRES"
      - "DB_ADDR=postgis"
      - "DB_DATABASE=${POSTGRES_DB}"
      - "DB_USER=${POSTGRES_USER}"
      - "DB_PASSWORD=${POSTGRES_PASSWORD}"
      - "KEYCLOAK_USER="
      - "KEYCLOAK_PASSWORD="
      - "PROXY_ADDRESS_FORWARDING=true"
      - "KEYCLOAK_LOGLEVEL=DEBUG" # DEBUG, ERROR, INFO

  grafana:
    image: grafana/grafana
    deploy:
      resources:
        limits:
          memory: 256M
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.grafana.rule=Host(`grafana.my-domain.com`)"
        - "traefik.http.routers.grafana.entrypoints=websecure"
        - "traefik.http.routers.grafana.tls=true"
        - "traefik.http.routers.grafana.tls.certresolver=leresolver"
        # Basic HTTP authentication
        - "traefik.http.routers.grafana.middlewares=oauth-keycloak"
        # Set up service
        - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
        - "traefik.http.routers.grafana.service=grafana-svc"
    environment:
      - GF_SECURITY_ADMIN_USER=my-username
      - GF_SECURITY_ADMIN_PASSWORD=my-pasword
      - GF_USERS_ALLOW_SIGN_UP=true
    volumes:
      - "/home/app/grafana:/var/lib/grafana"

  oauth-keycloak:
    image: quay.io/oauth2-proxy/oauth2-proxy
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.oauth-keycloak.rule=Host(`oauth-keycloak.my-domain.com`) || PathPrefix(`/oauth2`)"
        - "traefik.http.routers.oauth-keycloak.entrypoints=websecure"
        - "traefik.http.routers.oauth-keycloak.tls=true"
        - "traefik.http.routers.oauth-keycloak.tls.certresolver=leresolver"
        # Set up service
        - "traefik.http.routers.oauth-keycloak.service=oauth-keycloak-svc"
        - "traefik.http.services.oauth-keycloak-svc.loadbalancer.server.port=4185"
        # Set up middlewares
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185'
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.trustForwardHeader=true'
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.authResponseHeaders=X-Forwarded-User'
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.service=oauth-keycloak-svc"
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.status=401-403"
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.query=/oauth2/sign_in"
    environment:
      OAUTH2_PROXY_CLIENT_ID: 'development'
      OAUTH2_PROXY_CLIENT_SECRET: '' 
      OAUTH2_PROXY_PROVIDER: 'keycloak'
      OAUTH2_PROXY_SCOPE: 'profile email address phone'
      OAUTH2_PROXY_LOGIN_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth'
      OAUTH2_PROXY_REDEEM_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/token'
      OAUTH2_PROXY_PROFILE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
      OAUTH2_PROXY_VALIDATE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
      
      OAUTH2_PROXY_COOKIE_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
      OAUTH2_PROXY_COOKIE_REFRESH: '1h'
      OAUTH2_PROXY_COOKIE_SECURE: 'false'
      OAUTH2_PROXY_COOKIE_SECRET: '0Y18nYVtNLzKQroYQpi0jw=='
      OAUTH2_PROXY_EMAIL_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_REVERSE_PROXY: 'true'
      OAUTH2_PROXY_WHITELIST_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: 'true'

Here are these Valid Redirect URLs in keycloak client:

After successfully login in with Google Account, the keycloak generates an access token that is routed to the OAUth2 service for validating. Somehow, the OAuth2 thinks the access token was from github, not from the keycloak. You can see the logs:

123.28.110.207 - 78368701-f2b3-48c2-8f57-3a77a6b385f0 - - [2021/09/28 03:20:52] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000 [2021/09/28 03:21:06] [internal_util.go:64] GET https://keycloak.org/api/v3/user?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJvNXViN... [2021/09/28 03:21:06] [internal_util.go:65] token validation request failed: error performing request: Get "https://keycloak.org/api/v3/user?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJvNXViNgmU66CrcaFozOg": x509: certificate is valid for *.github.com, github.com, not keycloak.org
123.28.110.207 - a4f32698-44f4-463d-831e-93c292fb91ea - dathuynh@my-domain.com [2021/09/28 03:21:06] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh@my-domain.com user: PreferredUsername: token:true}
123.28.110.207 - a4f32698-44f4-463d-831e-93c292fb91ea - - [2021/09/28 03:21:05] grafana.my-domain.com GET - "/oauth2/callback?state=rVOsXkFxqswYCI8LhKTCOAUUjP76i8k3ltnqJcoxEDU%3Ahttps%3A%2F%2Fgrafana.my-domain.com%2F&session_state=36f8da18-6477-4a72-a7d2-10aadc5a0679&code=b9bbeb85-45bf-4fb5-ad31-cd6a59fc955f.36f8da18-6477-4a72-a7d2-10aadc5a0679.9f5b720c-0be6-44f0-946f-62e34ca0e5ec" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 63 0.955
123.28.110.207 - a25fe783-0e8f-48de-8040-80e77c98d35b - dathuynh@my-domain.com [2021/09/28 03:21:06] grafana.my-domain.com GET
- "/" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 404 19 0.000
123.28.110.207 - c5eeb805-c532-401b-aed4-d462b8b26d11 - dathuynh@my-domain.com [2021/09/28 03:21:07] grafana.my-domain.com GET
- "/" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 404 19 0.000

I might miss something in Keycloak/Oauth2 configuration but I don't really know. Any suggestions would be highly appreciated.

Answered by stianst

Sep 29, 2021

I would recommend asking for help in oauth2-proxy community, as this is not an issue with Keycloak.

View full answer

stianst · 2021-09-29T16:27:28Z

stianst
Sep 29, 2021
Maintainer

I would recommend asking for help in oauth2-proxy community, as this is not an issue with Keycloak.

4 replies

htdat148 Sep 30, 2021
Author

Thanks!!

htdat148 Sep 30, 2021
Author

Just found I missed the _proxy_ for VALIDATE_URL in OAuth configuration environment variables. It should be OAUTH2_PROXY_VALIDATE_URL.

htdat148 Sep 30, 2021
Author

But I am not sure why the oauth still can not validate, it said Keycloak did not provide the tocken

paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | 123.28.110.207 - 411d7575-fb97-42ca-87ed-d57cad683b31 - - [2021/09/30 02:04:53] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | [2021/09/30 02:05:00] [internal_util.go:74] token validation request failed: status 400 - {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | [2021/09/30 02:05:00] [internal_util.go:69] 400 GET https://keycloak.my-domain.com/auth/realms/staging/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYa1NjbzduRjlaTUpiWDRXVU5mTlhJS2FwOG9ZMHZ1THVZZU1SUk9EQ1J3In0.eyJleHAiOjE2MzI5Njc4MDAsImlhdCI6MTYzMjk2NzUwMCwiYXV0aF90aW1lIjoxNjMyOTY3NDk5LCJqdGkiOiI4NGJjZjdiNC0yN2YzLTQ4NDktYjUzNi05OTNkNTczNzA5OWYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnN0YWdpbmcucHJlY2lzaW9uYWcub3JnL2F1dGgvcmVhbG1zL3N0YWdpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzk1NjE1YWUtN2VkNi00MWI3LWE5YWUtMjBkZmZhMTc1NjBhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXV0aGVudGljYXRpb24iLCJzZXNzaW9uX3N0YXRlIjoiZTVjM2FkMDMtNzhmNi00ZmE4LThhOTgtZTdkYjk1YjZiNmEzIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtc3RhZ2luZyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW5... {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | 123.28.110.207 - 39bea317-002b-4366-858c-01aa6f6901b6 - dathuynh@my-domain.com [2021/09/30 02:05:00] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh@my-domain.com user: PreferredUsername: token:true groups:[/pader]}

stianst Sep 30, 2021
Maintainer

Same recommendation here, ask in oauth2-proxy community ;)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

keycloak's access token is validated as github access token by oauth2 #8505

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

keycloak's access token is validated as github access token by oauth2 #8505

Uh oh!

Uh oh!

htdat148 Sep 29, 2021

Replies: 1 comment · 4 replies

Uh oh!

stianst Sep 29, 2021 Maintainer

Uh oh!

htdat148 Sep 30, 2021 Author

Uh oh!

htdat148 Sep 30, 2021 Author

Uh oh!

Uh oh!

htdat148 Sep 30, 2021 Author

Uh oh!

stianst Sep 30, 2021 Maintainer

htdat148
Sep 29, 2021

Replies: 1 comment 4 replies

stianst
Sep 29, 2021
Maintainer

htdat148 Sep 30, 2021
Author

htdat148 Sep 30, 2021
Author

htdat148 Sep 30, 2021
Author

stianst Sep 30, 2021
Maintainer