[Apiman-user] Flood of requests to Keycloak when accessing apiman UI
Eric Wittmann
eric.wittmann at redhat.com
Mon Jan 11 11:22:08 EST 2016
OK that makes sense on multiple fronts. I'm pretty confident now that
the issue was session affinity. But if you don't need multiple nodes,
then obviously just having a single one accomplishes the same goal. :)
-Eric
On 1/11/2016 10:51 AM, Paul Blair wrote:
> When running just one instance of API manager I no longer get the flood of
> requests. I think that’s the way we're going to go, and just be able to
> bring up a new Docker image if that one fails for some reason -- we're not
> anticipating load issues, and high-availability isn't a priority for the
> admin console.
>
> On 1/7/16, 11:02 AM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:
>
>> OK great, thanks.
>>
>> I think session affinity on the API Manager side of things is required.
>> Without that, every request from the browser to the UI (for CSS,
>> images, etc, as well as for refreshing the bearer token) will look to
>> the server like a brand new unauthenticated request.
>>
>> Looking forward to hearing how it goes.
>>
>> -Eric
>>
>> On 1/7/2016 10:34 AM, Paul Blair wrote:
>>> Yes, we're deploying into Wildfly (8) in Dockers on AWS.
>>>
>>> I tried enabling session affinity on Keycloak but we still get quite a
>>> number of requests to Keycloak -- now they're just going to one of the
>>> Keycloaks. I haven't enabled session affinity on the API manager yet.
>>> I'll
>>> let you know how that turns out.
>>>
>>> On 1/6/16, 8:44 AM, "Eric Wittmann" <eric.wittmann at redhat.com> wrote:
>>>
>>>> Can you remind me what your configuration for the API Manager is? I
>>>> think you're deploying into Wildfly, correct?
>>>>
>>>> To be honest I'm not very familiar with how the keycloak adapters work,
>>>> so I'm guessing here. But based on the little bit of KC integration
>>>> code we've written for apiman I'm betting that you need to have session
>>>> affinity enabled for the manager UI. Otherwise there's no way for a
>>>> given request from the browser to be authenticated without redirecting
>>>> to the login page.
>>>>
>>>> Note that I have created the following JIRA that would help with the
>>>> flood of auth redirects:
>>>>
>>>> https://issues.jboss.org/browse/APIMAN-877
>>>>
>>>> But even so it likely wouldn't fix the underlying problem, which is
>>>> that
>>>> without session affinity it may take some luck for you to successfully
>>>> log in and view the UI (since there are a few redirects happening as
>>>> part of the login process).
>>>>
>>>> As for the Gateway - you shouldn't need session affinity enabled there,
>>>> because there is currently no redirect based authentication happening
>>>> (e.g. we're using BASIC Auth to authenticate into the Gateway API from
>>>> the Manager).
>>>>
>>>> -Eric
>>>>
>>>>
>>>> On 1/5/2016 4:05 PM, Paul Blair wrote:
>>>>> We are testing setting up a configuration where the API gateway, the
>>>>> API
>>>>> manager UI, and Keycloak are all behind their own load balancers on
>>>>> AWS.
>>>>> Keycloak is clustered using JDBC_PING.
>>>>>
>>>>> When I try to access the apimanui URL after logging in via Keycloak,
>>>>> sometimes the admin page is rendered; sometimes it isn't and I have to
>>>>> refresh it a few times. I see a flood of requests coming into both of
>>>>> the Keycloak instances.
>>>>>
>>>>> From what I can see, after the POST to Keycloak happens, there is a
>>>>> sequence of 302 redirects that eventually results in a successful GET
>>>>> to
>>>>> index.html. After that, however, each request for a resource on the
>>>>> page
>>>>> ‹ css, javascript, fonts, whatever ‹ also gets a 302 and is redirected
>>>>> to Keycloak and redirected back before the request is successful. I'm
>>>>> getting the impression from what I'm seeing that the bearer token is
>>>>> not
>>>>> being received by the browser and/or submitted with requests.
>>>>>
>>>>> Below is an example from the browser request log. All the browser
>>>>> requests are to various subdomains of us-west-2.elb.amazonaws.com (the
>>>>> load balancers); the instances of apiman and Keycloak are all on
>>>>> subdomains of us-west-2.compute.amazonaws.com. There is currently no
>>>>> session affinity set up in the load balancers for Keycloak, the apiman
>>>>> gateway, or the apiman management UI.
>>>>>
>>>>> Any ideas on what might be causing this?
>>>>>
>>>>> *** Part 1: Browser login via Keycloak and request for index.html ***
>>>>>
>>>>> POST
>>>>>
>>>>>
>>>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[
>>>>> CO
>>>>> DE-01]&execution=[EXECUTION-01]
>>>>> Cookie:"KC_RESTART=[RESTART-01]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/authentic
>>>>> at
>>>>> e?code=[CODE-01]"
>>>>> GET
>>>>>
>>>>>
>>>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[
>>>>> CO
>>>>> DE-01]
>>>>> Cookie:"KC_RESTART=[RESTART-01]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-
>>>>> ac
>>>>> tion?code=[CODE-02]"
>>>>> GET
>>>>>
>>>>>
>>>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?cod
>>>>> e=
>>>>> [CODE-02]
>>>>> Cookie:"KC_RESTART=[RESTART-01]"
>>>>> Response: 302
>>>>>
>>>>> Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]"
>>>>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; Version=1;
>>>>> Path=/auth/realms/apiman; HttpOnly
>>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>>> Expires=Wed, 06-Jan-2016 06:09:59 GMT; Max-Age=36000;
>>>>> Path=/auth/realms/apiman
>>>>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]&code=[CODE-0
>>>>> 3]
>>>>> Cookie:"OAuth_Token_Request_State=[STATE-01]"
>>>>> Response: 302
>>>>> Location:"https://[API_MANAGER]/apimanui/index.html"
>>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>>>> path=/apimanui
>>>>> OAuth_Token_Request_State=; Max-Age=0;
>>>>> Expires=Thu,
>>>>> 01-Jan-1970 00:00:00 GMT"
>>>>>
>>>>> GET https://[API_MANAGER]/apimanui/index.html
>>>>> Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect
>>>>> /a
>>>>>
>>>>> uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[A
>>>>> PI
>>>>> _MANAGER]%2Fapimanui%2Findex.html&state=[STATE-02]&login=true"
>>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>>>> path=/apimanui
>>>>> OAuth_Token_Request_State=[STATE-02]; secure"
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?resp
>>>>> on
>>>>>
>>>>> se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apim
>>>>> an
>>>>> ui/index.html&state=[STATE-02]&login=true
>>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-
>>>>> ac
>>>>> tion?code=[CODE-04]"
>>>>> Set-Cookie:"KC_RESTART=[RESTART-02]; Version=1;
>>>>> Path=/auth/realms/apiman; HttpOnly"
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?cod
>>>>> e=
>>>>> [CODE-04]
>>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01];
>>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-02]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&co
>>>>> de
>>>>> =[CODE-05]"
>>>>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-02]; Version=1;
>>>>> Path=/auth/realms/apiman; HttpOnly
>>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>>> Expires=Wed, 06-Jan-2016 06:10:00 GMT; Max-Age=36000;
>>>>> Path=/auth/realms/apiman
>>>>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE-0
>>>>> 5]
>>>>> Cookie:"OAuth_Token_Request_State=[STATE-02];
>>>>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>>>>> Response: 200
>>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01];
>>>>> path=/apimanui"
>>>>>
>>>>>
>>>>> *** Part 2: Subsequent requests for resources (here,
>>>>> bootstrap-select.css) ***
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.c
>>>>> ss
>>>>> ?cid=2015-10-23_16:50
>>>>> Cookie:"OAuth_Token_Request_State=[STATE-02];
>>>>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect
>>>>> /a
>>>>>
>>>>> uth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[A
>>>>> PI
>>>>>
>>>>> _MANAGER]%2Fapimanui%2Flibs%2Fbootstrap-select%2Fbootstrap-select.css?c
>>>>> id
>>>>> %3D2015-10-23_16%3A50&state=[STATE-03]&login=true"
>>>>> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02];
>>>>> path=/apimanui
>>>>> OAuth_Token_Request_State=[STATE-03]; secure"
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?resp
>>>>> on
>>>>>
>>>>> se_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apim
>>>>> an
>>>>>
>>>>> ui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&stat
>>>>> e=
>>>>> [STATE-03]&login=true
>>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-
>>>>> ac
>>>>> tion?code=[CODE-06]"
>>>>> Set-Cookie:"KC_RESTART=[RESTART-03]; Version=1;
>>>>> Path=/auth/realms/apiman; HttpOnly"
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?cod
>>>>> e=
>>>>> [CODE-06]
>>>>> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03];
>>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-03]"
>>>>> Response: 302
>>>>>
>>>>>
>>>>>
>>>>> Location:"https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstra
>>>>> p-
>>>>> select.css?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]"
>>>>> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-04]; Version=1;
>>>>> Path=/auth/realms/apiman; HttpOnly
>>>>> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1;
>>>>> Expires=Wed, 06-Jan-2016 06:10:02 GMT; Max-Age=36000;
>>>>> Path=/auth/realms/apiman
>>>>> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970
>>>>> 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"
>>>>>
>>>>> GET
>>>>>
>>>>>
>>>>> https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.c
>>>>> ss
>>>>> ?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]
>>>>>
>>>>>
>>>>>
>>>>> Cookie:"OAuth_Token_Request_State=445/4a12cbb7-c16d-42a5-90c7-cf2966166
>>>>> 74
>>>>> a;
>>>>> OAuth_Token_Request_State=[STATE-02];
>>>>> JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"
>>>>> Response: 400
>>>>> Set-Cookie:"OAuth_Token_Request_State=; Max-Age=0;
>>>>> Expires=Thu,
>>>>> 01-Jan-1970 00:00:00 GMT"
>>>>>
>>>>>
>>>>> *** Meanwhile, in Keycloak ‹ the logs have the following segment
>>>>> repeatedly: ***
>>>>>
>>>>> DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default
>>>>> task-23) replacing relative valid redirect with:
>>>>> https://[API_MANAGER]/apimanui/*
>>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>> (default
>>>>> task-23) AUTHENTICATE
>>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>> (default
>>>>> task-23) authenticator: auth-cookie
>>>>> DEBUG [org.keycloak.services.managers.AuthenticationManager]
>>>>> (default task-23) token active - active: true, issued-at:
>>>>> 1,452,019,157, not-before: 1,452,014,329
>>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>> (default
>>>>> task-23) authenticator SUCCESS: auth-cookie
>>>>> DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>>>>> (default
>>>>> task-23) execution is processed
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Apiman-user mailing list
>>>>> Apiman-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>>
>>>
>
More information about the Apiman-user
mailing list