shinyproxy icon indicating copy to clipboard operation
shinyproxy copied to clipboard

Published 20 hours ago verified publisher icon openanalytics

Problem with Keycloak authentication on Kubernetes / "failed to turn code into token" "status 308"

Open yannick-dactika opened this issue 4 years ago • 2 comments

Hi all,

My setup :

  • cluster Kubernetes on Azure Cloud
  • Nginx ingress controller that redirects all incoming requests to shinyproxies (multiple public apps so one shinyproxy per application)
  • shinyproxy is running inside a pod and redirects authentication to keycloak server
  • keycloak server is running inside a pod too (one for all apps)

For Keycloak server, proxy_adress_forwarding is set to true.

Shinyproxy application.yml:

proxy:
  title: AIRPC
  landing-page: /
  port: 8080
  authentication: keycloak
  keycloak:
    realm: dactika
    auth-server-url: http://keycloak.xxx.com/auth
    verify-token-audience: true
    resource: app
    credentials-secret: xxxxxxxxxxxx
  admin-groups: admins
  container-backend: kubernetes
  kubernetes:
    internal-networking: true
    namespace: ingress-app
  specs:
  - id: app
    display-name: APP
    container-cmd: ["R", "-e", "shiny::runApp('/app/tests/app.R')"]
    container-image: app.azurecr.io/app
    access-groups: app

logging:
  file:
    shinyproxy.log

server:
  useForwardHeaders: true

Problem : When I access to the app through the url app.xxxxx.com, it redirects me well to keycloak auth page (http:/keycloak.xxxxx.com/auth) but when I login, it exchanges between app.xxxxx.com and keycloak.xxxxx.com and finally, it downloads me a auth file staying at keycloak login page, it does not redirect me to shinyproxy page where I can select app and I have the following error in shinyproxy logs:

2021-06-18 08:33:19.450  INFO 1 --- [           main] e.o.c.util.StartupEventListener          : Started ShinyProxy 2.5.0 (ContainerProxy 0.8.8)
2021-06-18 08:33:35.396  INFO 1 --- [  XNIO-1 task-1] io.undertow.servlet                      : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-06-18 08:33:35.397  INFO 1 --- [  XNIO-1 task-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2021-06-18 08:33:35.426  INFO 1 --- [  XNIO-1 task-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 29 ms
2021-06-18 08:34:56.157 ERROR 1 --- [  XNIO-1 task-1] o.k.adapters.OAuthRequestAuthenticator   : failed to turn code into token
2021-06-18 08:34:56.157 ERROR 1 --- [  XNIO-1 task-1] o.k.adapters.OAuthRequestAuthenticator   : status from server: 308
2021-06-18 08:34:56.157 ERROR 1 --- [  XNIO-1 task-1] o.k.adapters.OAuthRequestAuthenticator   :    <html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx</center>
</body>
</html>

Did anyone encounter this problem before ?

Thank you in advance !

yannick-dactika avatar Jun 18 '21 09:06 yannick-dactika

Hi

Can you try these two things:

  • if you Keycloak server is using HTTPS, also specify https in the proxy.keycloak.auth-server-url field.
  • use the correct setting instead of useForwardHeaders, see: https://shinyproxy.io/documentation/security/#forward-headers

LEDfan avatar Jun 25 '21 09:06 LEDfan

Hi,

Thank you for your answer, my keycloak server is under https, key and cert are defined in kubernetes cluster, I already tried with https://keycloak.xxx.com/auth, I have same problem, it's playing ping/pong between urls app.xxx.com and keycloak.xxx.com, then a file is downloaded and I have another log error :

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

For that, I tried to copy key and cert files in docker image of shinyproxy, define cert-path in application.yml but this didn't work so I gave up this idea. Donwloaded file is a browser image and contains a Info.plist file and a login file, can't open both

yannick-dactika avatar Jun 25 '21 11:06 yannick-dactika