shinyproxy generate wrong redirect uri when using keycloak

Created on 19 Jun 2020  ·  16Comments  ·  Source: openanalytics/shinyproxy

Hello,

my setup is like this.

shinyproxy runs in a docker container with name shiny-proxy.

apache httpd reverse proxy runs before shinyproxy and convert it to https and runs on the host with port 2443
keycloak is also runs in docker container but the port is open on the host with 8443.

setup, application.xml

 keycloak:
    realm: shiny
    auth-server-url: https://keycloak:8443/auth
    #ssl-required: none
    ssl-required: external
    confidential-port: 2443
    verify-token-audience: true
    resource: shiny-proxy-p1
    credentials-secret: xxxxxxxxxxxx

apache reverse proxy configuration

<VirtualHost *:2443>
  SSLEngine on
  SSLCertificateFile    /etc/apache2/ssl/server-cert.pem
  SSLCertificateKeyFile /etc/apache2/ssl/server-cert.key
  #   Server Certificate Chain:
  #   Point SSLCertificateChainFile at a file containing the
  #   concatenation of PEM encoded CA certificates which form the
  #   certificate chain for the server certificate. Alternatively
  #   the referenced file can be the same as SSLCertificateFile
  #   when the CA certificates are directly appended to the server
  #   certificate for convinience.
  SSLCertificateChainFile /etc/apache2/ssl/server-ca.crt


  <Proxy *>
    Allow from *
  </Proxy>

  RewriteEngine on
 RewriteCond %{HTTP:Upgrade} =websocket
 RewriteRule /(.*) ws://shiny-proxy:8080/$1 [P,L]
 RewriteCond %{HTTP:Upgrade} !=websocket
 RewriteRule /(.*) http://shiny-proxy:8080/$1 [P,L]
 ProxyPass / http://shiny-proxy:8080/
 ProxyPassReverse / http://shiny-proxy:8080/
 ProxyRequests Off

 ErrorLog ${APACHE_LOG_DIR}/proxy_error.log
 CustomLog ${APACHE_LOG_DIR}/proxy_access.log combined

</VirtualHost>

Let's say when access shinyprox via apache with URL https://lxsqlpocnd04:2443/
it will redirect to login page and the login page redirect request to Keycloak host lxsqlpocnd04 and port 8443. in that URL there is query string which includes redirect_uri but it is not the one expected.

the URL is like this
https://lxsqlpocnd04:8443/auth/realms/shiny/protocol/openid-connect/auth?response_type=code&client_id=shiny-proxy-p1&redirect_uri=http%3A%2F%2Fshiny-proxy%3A8080%2Fsso%2Flogin&state=00f5e087-e6a9-4768-8cf8-39d77500fea3&login=true&scope=openid

And the redirect_uri is http://shiny-proxy:8080/sso/login other than https://lxsqlpocnd04:2443/sso/login

could someone help ?

Thanks,

Robin

question
Source
picture robsonyeg

All 16 comments

Did you set this in application.yml?

server:
  useForwardHeaders: true

From here: https://www.shinyproxy.io/security/#https-ssl-tls

aiham picture aiham on 28 Jul 2020

Not sure what the Apache equivalent is but in nginx this is probably what fixes your issue:

    proxy_set_header  Host    $http_host;
aiham picture aiham on 28 Jul 2020

@aiham Thanks.

I have it working. It is because of missing useForwardHeaders: true

robsonyeg picture robsonyeg on 28 Jul 2020
👍1

im using useForwardHeaders: true but still having the issue

danielfm123 picture danielfm123 on 16 Nov 2020

@danielfm123

im using useForwardHeaders: true but still having the issue

There is another possibility related to SSL certs. If your certs installed on Keycloak is not public trusted(the root and intermediate CA is not in the default trust list from Java), you need to add them in the JRE default trusted CA. The JRE is the one that runs your Shinyproxy.

the default location is JAVA_HOME---> JRE -->lib---> security--> cacerts JAVA_HOME---> JRE -->lib---> security--> cacerts

commands to import like this.

keytool -import -noprompt -alias -your-root -file /opt/jboss/your-root.crt -keystore /etc/pki/java/cacerts -storepass changeit

robsonyeg picture robsonyeg on 16 Nov 2020

I did it, it doesnt work, i tried shinyproxy 2.3.1 instead of 2.4.1 and it send's the correct redirect_uri, but only works in some browsers, in the rest I get err_too_many_redirects

danielfm123 picture danielfm123 on 16 Nov 2020

Is your certs public trusted? I ran into this during the testing phase the certs are not public trusted. You need to import the Root CA and Intermediate CA to Browser trusted store. Each browser is different, depends on your OS and Browser. In my case, I am using Windows, after I import Certs to the trusted zone and Both IE and Chrome work fine after that.

Here is my suggestion,

  1. during the test phase, as long as you have one browser works it will be good enough.
  2. for production deployment, add secure web proxy before shinyproxy and keycloak. Configure it to use the SSL from web proxy and use public trusted certs. This is a better secure deployment structure. If your organization does not have a hardware secure web proxy, you can use Apache HTTPD as a reverse web proxy and a load balancer too.
robsonyeg picture robsonyeg on 16 Nov 2020

It is validated with certbot.... I managed to make it work with shinyproxy 2.3.1 and a different active directory account...

But there is a bug on shinyproxy 2.4.1 and 2.4.0

danielfm123 picture danielfm123 on 16 Nov 2020

Hi @danielfm123 , I checked a few things here, and I cannot reproduce any problems with redirect_uri in ShinyProxy 2.4.0/1.
Can you open a new issue with the following information? That way I can look into it and see whether there is a bug.

  • how are you running ShinyProxy (using the jar, Docker, Kubernetes etc)
  • provide your application.yaml file (remove sensitive values) See here how you can post code

    • are you using a load-balancer or reverse proxy? which one, how is it configured (e.g. is it passing the X-Forwarded headers) etc

    • which openid provider are you using? Are the callback urls correctly configured?

    • does shinyproxy logs any error? Please give the full stack trace.

LEDfan picture LEDfan on 17 Nov 2020

I have the same issue.

Setup with keycloak, apache2 reverse proxy and shinyproxy 2.3.1 works fine. I run shinyproxy via Docker. Shinyproxy correctly redirects to https://testauth.example.com.

When I switch to shinyproxy 2.4.1 the redirect_uri contains the internal IP (http://192.168.51.27:8082) instead of the address that is accesible from outside and I get an error : "Invalid parameter: redirect_uri".

This is the relevant part of my application.yml:

proxy:
  title: AUTHTEST
  hide-navbar: false
  template-path: /templates
  favicon-path: /www/favicon.png
  heartbeat-rate: 10000
  heartbeat-timeout: 600000
  port: 8080
  admin-groups: admin
  container-wait-time: 30000
  authentication: keycloak
  keycloak:
    realm: shinyr
    auth-server-url: http://192.168.51.122:8080/auth
    resource: shinyr
    credentials-secret: <secret>
  docker:
    internal-networking: true
  specs:
  - id: test
    display-name: Euler App
    description: Test App
    container-cmd: ["R", "-e", "shiny::runApp('/root/euler')"]
    container-image: saletelligence/test
    container-network: authtest_authtest_net
    access-groups: [admin, pm]
logging:
  file:
    shinyproxy.log
server:
  useForwardHeaders: true

This is the apache config:

<VirtualHost *:443>
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
        ServerName testauth.example.com

        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket
        RewriteRule /(.*) ws://192.168.51.27:8082/$1 [P,L]
        RewriteCond %{HTTP:Upgrade} !=websocket
        RewriteRule /(.*) http://192.168.51.27:8082/$1 [P,L]
        ProxyRequests Off

        ProxyPass "/" "http://192.168.51.27:8082/"
        ProxyPassReverse "/" "http://192.168.51.27:8082/"

        SSLProxyEngine On
        SSLEngine On
        SSLCertificateFile /etc/apache2/sslcert/example.crt
        SSLCertificateKeyFile /etc/apache2/sslcert/example_pem.key
        SSLCACertificateFile /etc/apache2/sslcert/example_bundle.pem
</VirtualHost>
eastclintw00d picture eastclintw00d on 25 Nov 2020

Hi @eastclintw00d

Please try to use:

server:
  forward-headers-strategy: "native"

Instead of 

server:
  useForwardHeaders: true

Thanks!

LEDfan picture LEDfan on 25 Nov 2020
👍1

Hi @LEDfan

That solved the problem.

Thank you for the quick response!

eastclintw00d picture eastclintw00d on 25 Nov 2020
👍1

That works but it kills the package DT

danielfm123 picture danielfm123 on 28 Nov 2020

@danielfm123 Are you sure you are running shinyproxy 2.4.1? DT is working fine for me.

eastclintw00d picture eastclintw00d on 28 Nov 2020

@danielfm123 @eastclintw00d POST requests (as made e.g. by DT) don't work when using OIDC with current ShinyProxy (2.4.1). A fix by @LEDfan will be part of an upcoming release, but this is not the topic of this thread.

tverbeke picture tverbeke on 28 Nov 2020
👍1

The issue with POST request is now fixed in the 2.4.2 release

Documentation relating to the original issue is updated.

I'll lock this issue, so that the issues stay maintainable for us.
Of course, as always don't hesitate to open a new issue if you encounter any problem!

LEDfan picture LEDfan on 18 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shrektan picture shrektan  ·  9Comments
dylancis picture dylancis  ·  3Comments
jat255 picture jat255  ·  4Comments
donarus picture donarus  ·  3Comments
thomas-chauvet picture thomas-chauvet  ·  5Comments