[Apiman-user] Flood of requests to Keycloak when accessing apiman UI
Paul Blair
pblair at clearme.com
Thu Jan 7 10:34:42 EST 2016
Yes, we're deploying into Wildfly (8) in Dockers on AWS.
I tried enabling session affinity on Keycloak but we still get quite a
number of requests to Keycloak -- now they're just going to one of the
Keycloaks. I haven't enabled session affinity on the API manager yet. I'll
let you know how that turns out.
On 1/6/16, 8:44 AM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:
>Can you remind me what your configuration for the API Manager is? I
>think you're deploying into Wildfly, correct?
>
>To be honest I'm not very familiar with how the keycloak adapters work,
>so I'm guessing here. But based on the little bit of KC integration
>code we've written for apiman I'm betting that you need to have session
>affinity enabled for the manager UI. Otherwise there's no way for a
>given request from the browser to be authenticated without redirecting
>to the login page.
>
>Note that I have created the following JIRA that would help with the
>flood of auth redirects:
>
>https://issues.jboss.org/browse/APIMAN-877
>
>But even so it likely wouldn't fix the underlying problem, which is that
>without session affinity it may take some luck for you to successfully
>log in and view the UI (since there are a few redirects happening as
>part of the login process).
>
>As for the Gateway - you shouldn't need session affinity enabled there,
>because there is currently no redirect based authentication happening
>(e.g. we're using BASIC Auth to authenticate into the Gateway API from
>the Manager).
>
>-Eric
>
>
>On 1/5/2016 4:05 PM, Paul Blair wrote:
>> We are testing setting up a configuration where the API gateway, the API
>> manager UI, and Keycloak are all behind their own load balancers on AWS.
>> Keycloak is clustered using JDBC_PING.
>>
>> When I try to access the apimanui URL after logging in via Keycloak,
>> sometimes the admin page is rendered; sometimes it isn't and I have to
>> refresh it a few times. I see a flood of requests coming into both of
>> the Keycloak instances.
>>
>> From what I can see, after the POST to Keycloak happens, there is a
>> sequence of 302 redirects that eventually results in a successful GET to
>> index.html. After that, however, each request for a resource on the page
>> ‹ css, javascript, fonts, whatever ‹ also gets a 302 and is redirected
>> to Keycloak and redirected back before the request is successful. I'm
>> getting the impression from what I'm seeing that the bearer token is not
>> being received by the browser and/or submitted with requests.
>>
>> Below is an example from the browser request log. All the browser
>> requests are to various subdomains of us-west-2.elb.amazonaws.com (the
>> load balancers); the instances of apiman and Keycloak are all on
>> subdomains of us-west-2.compute.amazonaws.com. There is currently no
>> session affinity set up in the load balancers for Keycloak, the apiman
>> gateway, or the apiman management UI.
>>
>> Any ideas on what might be causing this?
>>
>> *** Part 1: Browser login via Keycloak and request for index.html ***
>>
>> POST
>>
>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CO
>>DE-01]&execution=[EXECUTION-01]
>> Cookie:"KC_RESTART=[RESTART-01]"
>> Response: 302
>>
>>
>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticat
>>e?code=[CODE-01]"
>> GET
>>
>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CO
>>DE-01]
>> Cookie:"KC_RESTART=[RESTART-01]"
>> Response: 302
>>
>>
>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-ac
>>tion?code=[CODE-02]"
>> GET
>>
>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=
>>[CODE-02]
>> Cookie:"KC_RESTART=[RESTART-01]"
>> Response: 302
>>
>>Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]"
>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; Version=1;
>> Path=/auth/realms/apiman; HttpOnly
>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>> Expires=Wed, 06-Jan-2016 06:09:59 GMT; Max-Age=36000;
>> Path=/auth/realms/apiman
>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>
>> GET
>>
>>https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]&code=[CODE-03]
>> Cookie:"OAuth_Token_Request_State=[STATE-01]"
>> Response: 302
>> Location:"https://[API_MANAGER]/apimanui/index.html"
>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>path=/apimanui
>> OAuth_Token_Request_State=; Max-Age=0; Expires=Thu,
>> 01-Jan-1970 00:00:00 GMT"
>>
>> GET https://[API_MANAGER]/apimanui/index.html
>> Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>> Response: 302
>>
>>
>>Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/a
>>uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API
>>_MANAGER]%2Fapimanui%2Findex.html&state=[STATE-02]&login=true"
>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>path=/apimanui
>> OAuth_Token_Request_State=[STATE-02]; secure"
>>
>> GET
>>
>>https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon
>>se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apiman
>>ui/index.html&state=[STATE-02]&login=true
>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>> Response: 302
>>
>>
>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-ac
>>tion?code=[CODE-04]"
>> Set-Cookie:"KC_RESTART=[RESTART-02]; Version=1;
>> Path=/auth/realms/apiman; HttpOnly"
>>
>> GET
>>
>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=
>>[CODE-04]
>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-02]"
>> Response: 302
>>
>>
>>Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code
>>=[CODE-05]"
>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-02]; Version=1;
>> Path=/auth/realms/apiman; HttpOnly
>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>> Expires=Wed, 06-Jan-2016 06:10:00 GMT; Max-Age=36000;
>> Path=/auth/realms/apiman
>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>
>> GET
>>
>>https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE-05]
>> Cookie:"OAuth_Token_Request_State=[STATE-02];
>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>> Response: 200
>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>path=/apimanui"
>>
>>
>> *** Part 2: Subsequent requests for resources (here,
>> bootstrap-select.css) ***
>>
>> GET
>>
>>https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css
>>?cid=2015-10-23_16:50
>> Cookie:"OAuth_Token_Request_State=[STATE-02];
>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>> Response: 302
>>
>>
>>Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/a
>>uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API
>>_MANAGER]%2Fapimanui%2Flibs%2Fbootstrap-select%2Fbootstrap-select.css?cid
>>%3D2015-10-23_16%3A50&state=[STATE-03]&login=true"
>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>path=/apimanui
>> OAuth_Token_Request_State=[STATE-03]; secure"
>>
>> GET
>>
>>https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon
>>se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apiman
>>ui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&state=
>>[STATE-03]&login=true
>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>> Response: 302
>>
>>
>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-ac
>>tion?code=[CODE-06]"
>> Set-Cookie:"KC_RESTART=[RESTART-03]; Version=1;
>> Path=/auth/realms/apiman; HttpOnly"
>>
>> GET
>>
>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=
>>[CODE-06]
>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-03]"
>> Response: 302
>>
>>
>>Location:"https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-
>>select.css?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]"
>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-04]; Version=1;
>> Path=/auth/realms/apiman; HttpOnly
>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>> Expires=Wed, 06-Jan-2016 06:10:02 GMT; Max-Age=36000;
>> Path=/auth/realms/apiman
>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>
>> GET
>>
>>https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css
>>?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]
>>
>>
>>Cookie:"OAuth_Token_Request_State=445/4a12cbb7-c16d-42a5-90c7-cf296616674
>>a;
>> OAuth_Token_Request_State=[STATE-02];
>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>> Response: 400
>> Set-Cookie:"OAuth_Token_Request_State=; Max-Age=0; Expires=Thu,
>> 01-Jan-1970 00:00:00 GMT"
>>
>>
>> *** Meanwhile, in Keycloak ‹ the logs have the following segment
>> repeatedly: ***
>>
>> DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default
>> task-23) replacing relative valid redirect with:
>> https://[API_MANAGER]/apimanui/*
>> DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>> task-23) AUTHENTICATE
>> DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>> task-23) authenticator: auth-cookie
>> DEBUG [org.keycloak.services.managers.AuthenticationManager]
>> (default task-23) token active - active: true, issued-at:
>> 1,452,019,157, not-before: 1,452,014,329
>> DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>> task-23) authenticator SUCCESS: auth-cookie
>> DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>> task-23) execution is processed
>>
>>
>>
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
More information about the Apiman-user
mailing list