[Apiman-user] Flood of requests to Keycloak when accessing apiman UI
Paul Blair
pblair at clearme.com
Mon Jan 11 10:51:23 EST 2016
When running just one instance of API manager I no longer get the flood of
requests. I think that’s the way we're going to go, and just be able to
bring up a new Docker image if that one fails for some reason -- we're not
anticipating load issues, and high-availability isn't a priority for the
admin console.
On 1/7/16, 11:02 AM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:
>OK great, thanks.
>
>I think session affinity on the API Manager side of things is required.
> Without that, every request from the browser to the UI (for CSS,
>images, etc, as well as for refreshing the bearer token) will look to
>the server like a brand new unauthenticated request.
>
>Looking forward to hearing how it goes.
>
>-Eric
>
>On 1/7/2016 10:34 AM, Paul Blair wrote:
>> Yes, we're deploying into Wildfly (8) in Dockers on AWS.
>>
>> I tried enabling session affinity on Keycloak but we still get quite a
>> number of requests to Keycloak -- now they're just going to one of the
>> Keycloaks. I haven't enabled session affinity on the API manager yet.
>>I'll
>> let you know how that turns out.
>>
>> On 1/6/16, 8:44 AM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:
>>
>>> Can you remind me what your configuration for the API Manager is? I
>>> think you're deploying into Wildfly, correct?
>>>
>>> To be honest I'm not very familiar with how the keycloak adapters work,
>>> so I'm guessing here. But based on the little bit of KC integration
>>> code we've written for apiman I'm betting that you need to have session
>>> affinity enabled for the manager UI. Otherwise there's no way for a
>>> given request from the browser to be authenticated without redirecting
>>> to the login page.
>>>
>>> Note that I have created the following JIRA that would help with the
>>> flood of auth redirects:
>>>
>>> https://issues.jboss.org/browse/APIMAN-877
>>>
>>> But even so it likely wouldn't fix the underlying problem, which is
>>>that
>>> without session affinity it may take some luck for you to successfully
>>> log in and view the UI (since there are a few redirects happening as
>>> part of the login process).
>>>
>>> As for the Gateway - you shouldn't need session affinity enabled there,
>>> because there is currently no redirect based authentication happening
>>> (e.g. we're using BASIC Auth to authenticate into the Gateway API from
>>> the Manager).
>>>
>>> -Eric
>>>
>>>
>>> On 1/5/2016 4:05 PM, Paul Blair wrote:
>>>> We are testing setting up a configuration where the API gateway, the
>>>>API
>>>> manager UI, and Keycloak are all behind their own load balancers on
>>>>AWS.
>>>> Keycloak is clustered using JDBC_PING.
>>>>
>>>> When I try to access the apimanui URL after logging in via Keycloak,
>>>> sometimes the admin page is rendered; sometimes it isn't and I have to
>>>> refresh it a few times. I see a flood of requests coming into both of
>>>> the Keycloak instances.
>>>>
>>>> From what I can see, after the POST to Keycloak happens, there is a
>>>> sequence of 302 redirects that eventually results in a successful GET
>>>>to
>>>> index.html. After that, however, each request for a resource on the
>>>>page
>>>> ‹ css, javascript, fonts, whatever ‹ also gets a 302 and is redirected
>>>> to Keycloak and redirected back before the request is successful. I'm
>>>> getting the impression from what I'm seeing that the bearer token is
>>>>not
>>>> being received by the browser and/or submitted with requests.
>>>>
>>>> Below is an example from the browser request log. All the browser
>>>> requests are to various subdomains of us-west-2.elb.amazonaws.com (the
>>>> load balancers); the instances of apiman and Keycloak are all on
>>>> subdomains of us-west-2.compute.amazonaws.com. There is currently no
>>>> session affinity set up in the load balancers for Keycloak, the apiman
>>>> gateway, or the apiman management UI.
>>>>
>>>> Any ideas on what might be causing this?
>>>>
>>>> *** Part 1: Browser login via Keycloak and request for index.html ***
>>>>
>>>> POST
>>>>
>>>>
>>>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[
>>>>CO
>>>> DE-01]&execution=[EXECUTION-01]
>>>> Cookie:"KC_RESTART=[RESTART-01]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/authentic
>>>>at
>>>> e?code=[CODE-01]"
>>>> GET
>>>>
>>>>
>>>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[
>>>>CO
>>>> DE-01]
>>>> Cookie:"KC_RESTART=[RESTART-01]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-
>>>>ac
>>>> tion?code=[CODE-02]"
>>>> GET
>>>>
>>>>
>>>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?cod
>>>>e=
>>>> [CODE-02]
>>>> Cookie:"KC_RESTART=[RESTART-01]"
>>>> Response: 302
>>>>
>>>> Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]"
>>>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; Version=1;
>>>> Path=/auth/realms/apiman; HttpOnly
>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>> Expires=Wed, 06-Jan-2016 06:09:59 GMT; Max-Age=36000;
>>>> Path=/auth/realms/apiman
>>>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]&code=[CODE-0
>>>>3]
>>>> Cookie:"OAuth_Token_Request_State=[STATE-01]"
>>>> Response: 302
>>>> Location:"https://[API_MANAGER]/apimanui/index.html"
>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>>> path=/apimanui
>>>> OAuth_Token_Request_State=; Max-Age=0;
>>>>Expires=Thu,
>>>> 01-Jan-1970 00:00:00 GMT"
>>>>
>>>> GET https://[API_MANAGER]/apimanui/index.html
>>>> Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect
>>>>/a
>>>>
>>>>uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[A
>>>>PI
>>>> _MANAGER]%2Fapimanui%2Findex.html&state=[STATE-02]&login=true"
>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>>> path=/apimanui
>>>> OAuth_Token_Request_State=[STATE-02]; secure"
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?resp
>>>>on
>>>>
>>>>se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apim
>>>>an
>>>> ui/index.html&state=[STATE-02]&login=true
>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-
>>>>ac
>>>> tion?code=[CODE-04]"
>>>> Set-Cookie:"KC_RESTART=[RESTART-02]; Version=1;
>>>> Path=/auth/realms/apiman; HttpOnly"
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?cod
>>>>e=
>>>> [CODE-04]
>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-02]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&co
>>>>de
>>>> =[CODE-05]"
>>>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-02]; Version=1;
>>>> Path=/auth/realms/apiman; HttpOnly
>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>> Expires=Wed, 06-Jan-2016 06:10:00 GMT; Max-Age=36000;
>>>> Path=/auth/realms/apiman
>>>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE-0
>>>>5]
>>>> Cookie:"OAuth_Token_Request_State=[STATE-02];
>>>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>>>> Response: 200
>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>>> path=/apimanui"
>>>>
>>>>
>>>> *** Part 2: Subsequent requests for resources (here,
>>>> bootstrap-select.css) ***
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.c
>>>>ss
>>>> ?cid=2015-10-23_16:50
>>>> Cookie:"OAuth_Token_Request_State=[STATE-02];
>>>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect
>>>>/a
>>>>
>>>>uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[A
>>>>PI
>>>>
>>>>_MANAGER]%2Fapimanui%2Flibs%2Fbootstrap-select%2Fbootstrap-select.css?c
>>>>id
>>>> %3D2015-10-23_16%3A50&state=[STATE-03]&login=true"
>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>>> path=/apimanui
>>>> OAuth_Token_Request_State=[STATE-03]; secure"
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?resp
>>>>on
>>>>
>>>>se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apim
>>>>an
>>>>
>>>>ui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&stat
>>>>e=
>>>> [STATE-03]&login=true
>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-
>>>>ac
>>>> tion?code=[CODE-06]"
>>>> Set-Cookie:"KC_RESTART=[RESTART-03]; Version=1;
>>>> Path=/auth/realms/apiman; HttpOnly"
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?cod
>>>>e=
>>>> [CODE-06]
>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-03]"
>>>> Response: 302
>>>>
>>>>
>>>>
>>>>Location:"https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstra
>>>>p-
>>>> select.css?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]"
>>>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-04]; Version=1;
>>>> Path=/auth/realms/apiman; HttpOnly
>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>> Expires=Wed, 06-Jan-2016 06:10:02 GMT; Max-Age=36000;
>>>> Path=/auth/realms/apiman
>>>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>>
>>>> GET
>>>>
>>>>
>>>>https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.c
>>>>ss
>>>> ?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]
>>>>
>>>>
>>>>
>>>>Cookie:"OAuth_Token_Request_State=445/4a12cbb7-c16d-42a5-90c7-cf2966166
>>>>74
>>>> a;
>>>> OAuth_Token_Request_State=[STATE-02];
>>>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>>>> Response: 400
>>>> Set-Cookie:"OAuth_Token_Request_State=; Max-Age=0;
>>>>Expires=Thu,
>>>> 01-Jan-1970 00:00:00 GMT"
>>>>
>>>>
>>>> *** Meanwhile, in Keycloak ‹ the logs have the following segment
>>>> repeatedly: ***
>>>>
>>>> DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default
>>>> task-23) replacing relative valid redirect with:
>>>> https://[API_MANAGER]/apimanui/*
>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>(default
>>>> task-23) AUTHENTICATE
>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>(default
>>>> task-23) authenticator: auth-cookie
>>>> DEBUG [org.keycloak.services.managers.AuthenticationManager]
>>>> (default task-23) token active - active: true, issued-at:
>>>> 1,452,019,157, not-before: 1,452,014,329
>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>(default
>>>> task-23) authenticator SUCCESS: auth-cookie
>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>(default
>>>> task-23) execution is processed
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Apiman-user mailing list
>>>> Apiman-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>
>>
More information about the Apiman-user
mailing list