I've built an application using JHipster which consists of a gateway and a frontend with OAuth2 authentication implemented through Keycloak. Everything works as expected when running locally. However, when I deploy to a Kubernetes cluster, the redirection behavior differs, leading to authentication issues.
Local Setup:
When I authenticate locally, the flow is: frontend (/oauth2/authorization/oidc) -> gateway (on port 8080) -> Keycloak (for auth) -> gateway (with callback URL pointing to port 8080) -> frontend (port 9000 with session cookie). And everything works seamlessly.
Kubernetes Setup:
My frontend is behind an Nginx server with this configuration:
server {
listen 80;
location ~ ^/oauth2(.*)$ {
return 302 https://gateway.test.internal/oauth2$1;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
}
When trying to authenticate, I'm redirected to the gateway at "https://gateway.test.internal/oauth2/authorization/oidc", then to Keycloak. After successful authentication in Keycloak, the callback URL points back to the gateway. However, instead of redirecting to the frontend at "https://web.test.internal/", I'm redirected to "https://gateway.test.internal/".
I tried adjusting the Nginx configuration:
server {
listen 80;
location /oauth2 {
proxy_pass https://gateway.test.internal/oauth2;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
}
This resulted in an "invalid credentials" error from the gateway, which I suspect might be due to header issues (especially the "Referer" header).
To temporarily circumvent this, I added an endpoint in the gateway to manually handle the session cookie:
@GetMapping("/")
public ResponseEntity<Void> method(@CookieValue("SESSION") String session) {
HttpCookie sessionCookie = ResponseCookie.from("SESSION", session).domain(".test.internal").build();
return ResponseEntity
.status(HttpStatus.FOUND)
.location(URI.create("https://web.test.internal/"))
.header(HttpHeaders.SET_COOKIE, sessionCookie.toString())
.build();
}
However, with this, I have to manage the session cookies myself.
Has anyone experienced a similar problem or can they give me some pointers on how to correctly manage redirection when deploying the front end and the gateway with different sub-domains ?