[Apiman-user] Flood of requests to Keycloak when accessing apiman UI

Eric Wittmann eric.wittmann at redhat.com
Thu Jan 7 11:02:33 EST 2016 

OK great, thanks.

I think session affinity on the API Manager side of things is required. 
  Without that, every request from the browser to the UI (for CSS, 
images, etc, as well as for refreshing the bearer token) will look to 
the server like a brand new unauthenticated request.

Looking forward to hearing how it goes.

-Eric

On 1/7/2016 10:34 AM, Paul Blair wrote:
> Yes, we're deploying into Wildfly (8) in Dockers on AWS.
>
> I tried enabling session affinity on Keycloak but we still get quite a
> number of requests to Keycloak -- now they're just going to one of the
> Keycloaks. I haven't enabled session affinity on the API manager yet. I'll
> let you know how that turns out.
>
> On 1/6/16, 8:44 AM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:
>
>> Can you remind me what your configuration for the API Manager is?  I
>> think you're deploying into Wildfly, correct?
>>
>> To be honest I'm not very familiar with how the keycloak adapters work,
>> so I'm guessing here.  But based on the little bit of KC integration
>> code we've written for apiman I'm betting that you need to have session
>> affinity enabled for the manager UI.  Otherwise there's no way for a
>> given request from the browser to be authenticated without redirecting
>> to the login page.
>>
>> Note that I have created the following JIRA that would help with the
>> flood of auth redirects:
>>
>> https://issues.jboss.org/browse/APIMAN-877
>>
>> But even so it likely wouldn't fix the underlying problem, which is that
>> without session affinity it may take some luck for you to successfully
>> log in and view the UI (since there are a few redirects happening as
>> part of the login process).
>>
>> As for the Gateway - you shouldn't need session affinity enabled there,
>> because there is currently no redirect based authentication happening
>> (e.g. we're using BASIC Auth to authenticate into the Gateway API from
>> the Manager).
>>
>> -Eric
>>
>>
>> On 1/5/2016 4:05 PM, Paul Blair wrote:
>>> We are testing setting up a configuration where the API gateway, the API
>>> manager UI, and Keycloak are all behind their own load balancers on AWS.
>>> Keycloak is clustered using JDBC_PING.
>>>
>>> When I try to access the apimanui URL after logging in via Keycloak,
>>> sometimes the admin page is rendered; sometimes it isn't and I have to
>>> refresh it a few times. I see a flood of requests coming into both of
>>> the Keycloak instances.
>>>
>>>   From what I can see, after the POST to Keycloak happens, there is a
>>> sequence of 302 redirects that eventually results in a successful GET to
>>> index.html. After that, however, each request for a resource on the page
>>> ‹ css, javascript, fonts, whatever ‹ also gets a 302 and is redirected
>>> to Keycloak and redirected back before the request is successful. I'm
>>> getting the impression from what I'm seeing that the bearer token is not
>>> being received by the browser and/or submitted with requests.
>>>
>>> Below is an example from the browser request log. All the browser
>>> requests are to various subdomains of us-west-2.elb.amazonaws.com (the
>>> load balancers); the instances of apiman and Keycloak are all on
>>> subdomains of us-west-2.compute.amazonaws.com. There is currently no
>>> session affinity set up in the load balancers for Keycloak, the apiman
>>> gateway, or the apiman management UI.
>>>
>>> Any ideas on what might be causing this?
>>>
>>> *** Part 1: Browser login via Keycloak and request for index.html ***
>>>
>>>      POST
>>>
>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CO
>>> DE-01]&execution=[EXECUTION-01]
>>>         Cookie:"KC_RESTART=[RESTART-01]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticat
>>> e?code=[CODE-01]"
>>>      GET
>>>
>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CO
>>> DE-01]
>>>         Cookie:"KC_RESTART=[RESTART-01]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-ac
>>> tion?code=[CODE-02]"
>>>      GET
>>>
>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=
>>> [CODE-02]
>>>         Cookie:"KC_RESTART=[RESTART-01]"
>>>      Response: 302
>>>
>>> Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]"
>>>         Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; Version=1;
>>>      Path=/auth/realms/apiman; HttpOnly
>>>                     KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>      Expires=Wed, 06-Jan-2016 06:09:59 GMT; Max-Age=36000;
>>>      Path=/auth/realms/apiman
>>>                     KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>      00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>
>>>      GET
>>>
>>> https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]&code=[CODE-03]
>>>         Cookie:"OAuth_Token_Request_State=[STATE-01]"
>>>      Response: 302
>>>         Location:"https://[API_MANAGER]/apimanui/index.html"
>>>         Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>> path=/apimanui
>>>                     OAuth_Token_Request_State=; Max-Age=0; Expires=Thu,
>>>      01-Jan-1970 00:00:00 GMT"
>>>
>>>      GET https://[API_MANAGER]/apimanui/index.html
>>>         Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/a
>>> uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API
>>> _MANAGER]%2Fapimanui%2Findex.html&state=[STATE-02]&login=true"
>>>         Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>> path=/apimanui
>>>                     OAuth_Token_Request_State=[STATE-02]; secure"
>>>
>>>      GET
>>>
>>> https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon
>>> se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apiman
>>> ui/index.html&state=[STATE-02]&login=true
>>>         Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>>>      KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-ac
>>> tion?code=[CODE-04]"
>>>         Set-Cookie:"KC_RESTART=[RESTART-02]; Version=1;
>>>      Path=/auth/realms/apiman; HttpOnly"
>>>
>>>      GET
>>>
>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=
>>> [CODE-04]
>>>         Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>>>      KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-02]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code
>>> =[CODE-05]"
>>>         Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-02]; Version=1;
>>>      Path=/auth/realms/apiman; HttpOnly
>>>                     KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>      Expires=Wed, 06-Jan-2016 06:10:00 GMT; Max-Age=36000;
>>>      Path=/auth/realms/apiman
>>>                     KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>      00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>
>>>      GET
>>>
>>> https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE-05]
>>>         Cookie:"OAuth_Token_Request_State=[STATE-02];
>>>      JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>>>      Response: 200
>>>         Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>> path=/apimanui"
>>>
>>>
>>> *** Part 2: Subsequent requests for resources (here,
>>> bootstrap-select.css) ***
>>>
>>>      GET
>>>
>>> https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css
>>> ?cid=2015-10-23_16:50
>>>         Cookie:"OAuth_Token_Request_State=[STATE-02];
>>>      JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/a
>>> uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API
>>> _MANAGER]%2Fapimanui%2Flibs%2Fbootstrap-select%2Fbootstrap-select.css?cid
>>> %3D2015-10-23_16%3A50&state=[STATE-03]&login=true"
>>>         Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>> path=/apimanui
>>>                     OAuth_Token_Request_State=[STATE-03]; secure"
>>>
>>>      GET
>>>
>>> https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?respon
>>> se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apiman
>>> ui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&state=
>>> [STATE-03]&login=true
>>>         Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>>>      KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-ac
>>> tion?code=[CODE-06]"
>>>         Set-Cookie:"KC_RESTART=[RESTART-03]; Version=1;
>>>      Path=/auth/realms/apiman; HttpOnly"
>>>
>>>      GET
>>>
>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=
>>> [CODE-06]
>>>         Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>>>      KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-03]"
>>>      Response: 302
>>>
>>>
>>> Location:"https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-
>>> select.css?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]"
>>>         Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-04]; Version=1;
>>>      Path=/auth/realms/apiman; HttpOnly
>>>                     KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>      Expires=Wed, 06-Jan-2016 06:10:02 GMT; Max-Age=36000;
>>>      Path=/auth/realms/apiman
>>>                     KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>      00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>
>>>      GET
>>>
>>> https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css
>>> ?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]
>>>
>>>
>>> Cookie:"OAuth_Token_Request_State=445/4a12cbb7-c16d-42a5-90c7-cf296616674
>>> a;
>>>      OAuth_Token_Request_State=[STATE-02];
>>>      JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>>>      Response: 400
>>>         Set-Cookie:"OAuth_Token_Request_State=; Max-Age=0; Expires=Thu,
>>>      01-Jan-1970 00:00:00 GMT"
>>>
>>>
>>> *** Meanwhile, in Keycloak ‹ the logs have the following segment
>>> repeatedly: ***
>>>
>>>      DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default
>>>      task-23) replacing relative valid redirect with:
>>>      https://[API_MANAGER]/apimanui/*
>>>      DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>>>      task-23) AUTHENTICATE
>>>      DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>>>      task-23) authenticator: auth-cookie
>>>      DEBUG [org.keycloak.services.managers.AuthenticationManager]
>>>      (default task-23) token active - active: true, issued-at:
>>>      1,452,019,157, not-before: 1,452,014,329
>>>      DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>>>      task-23) authenticator SUCCESS: auth-cookie
>>>      DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default
>>>      task-23) execution is processed
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Apiman-user mailing list
>>> Apiman-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>
>

More information about the Apiman-user mailing list