<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-family: Calibri, sans-serif;">
<div style="font-size: 14px;">We are testing setting up a configuration where the API gateway, the API manager UI, and Keycloak are all behind their own load balancers on AWS. Keycloak is clustered using JDBC_PING.</div>
<div style="font-size: 14px;"><br>
</div>
<div style="font-size: 14px;">When I try to access the apimanui URL after logging in via Keycloak, sometimes the admin page is rendered; sometimes it isn't and I have to refresh it a few times. I see a flood of requests coming into both of the Keycloak instances.</div>
<div style="font-size: 14px;"><br>
</div>
<div style="font-size: 14px;">From what I can see, after the POST to Keycloak happens, there is a sequence of 302 redirects that eventually results in a successful GET to index.html. After that, however, each request for a resource on the page — css, javascript,
fonts, whatever — also gets a 302 and is redirected to Keycloak and redirected back before the request is successful. I'm getting the impression from what I'm seeing that the bearer token is not being received by the browser and/or submitted with requests.</div>
<div style="font-size: 14px;"><br>
</div>
<div style="font-size: 14px;">Below is an example from the browser request log. All the browser requests are to various subdomains of us-west-2.elb.amazonaws.com (the load balancers); the instances of apiman and Keycloak are all on subdomains of us-west-2.compute.amazonaws.com.
There is currently no session affinity set up in the load balancers for Keycloak, the apiman gateway, or the apiman management UI.</div>
<div style="font-size: 14px;"><br>
</div>
<div style="font-size: 14px;">Any ideas on what might be causing this?</div>
<div style="font-size: 14px;"><br>
</div>
<div style="font-size: 14px;">*** Part 1: Browser login via Keycloak and request for index.html ***</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<blockquote style="margin: 0px 0px 0px 40px; border: none; padding: 0px;">
<div><span style="font-family: Consolas; font-size: 12px;">POST https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CODE-01]&execution=[EXECUTION-01]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"KC_RESTART=[RESTART-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CODE-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> </span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[KEYCLOAK]/auth/realms/apiman/login-actions/authenticate?code=[CODE-01]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"KC_RESTART=[RESTART-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-02]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> </span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-02]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"KC_RESTART=[RESTART-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; Version=1; Path=/auth/realms/apiman; HttpOnly</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1; Expires=Wed, 06-Jan-2016 06:09:59 GMT; Max-Age=36000; Path=/auth/realms/apiman</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[API_MANAGER]/apimanui/index.html?state=[STATE-01]&code=[CODE-03]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"OAuth_Token_Request_State=[STATE-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[API_MANAGER]/apimanui/index.html" </span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]; path=/apimanui</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> OAuth_Token_Request_State=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[API_MANAGER]/apimanui/index.html</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API_MANAGER]%2Fapimanui%2Findex.html&state=[STATE-02]&login=true"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]; path=/apimanui</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> OAuth_Token_Request_State=[STATE-02]; secure"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apimanui/index.html&state=[STATE-02]&login=true</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; KEYCLOAK_SESSION=apiman/[KC_SESS-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-04]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"KC_RESTART=[RESTART-02]; Version=1; Path=/auth/realms/apiman; HttpOnly"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-04]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-01]; KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-02]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE-05]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-02]; Version=1; Path=/auth/realms/apiman; HttpOnly</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1; Expires=Wed, 06-Jan-2016 06:10:00 GMT; Max-Age=36000; Path=/auth/realms/apiman</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[API_MANAGER]/apimanui/index.html?state=[STATE-02]&code=[CODE-05]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"OAuth_Token_Request_State=[STATE-02]; JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 200</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]; path=/apimanui"</span></div>
</blockquote>
</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<div style="font-size: 14px;">*** Part 2: Subsequent requests for resources (here, bootstrap-select.css) ***</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<blockquote style="margin: 0px 0px 0px 40px; border: none; padding: 0px;">
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"OAuth_Token_Request_State=[STATE-02]; JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https%3A%2F%2F[API_MANAGER]%2Fapimanui%2Flibs%2Fbootstrap-select%2Fbootstrap-select.css?cid%3D2015-10-23_16%3A50&state=[STATE-03]&login=true"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]; path=/apimanui</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> OAuth_Token_Request_State=[STATE-03]; secure"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[KEYCLOAK]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&state=[STATE-03]&login=true</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03]; KEYCLOAK_SESSION=apiman/[KC_SESS-01]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-06]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"KC_RESTART=[RESTART-03]; Version=1; Path=/auth/realms/apiman; HttpOnly"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[KEYCLOAK]/auth/realms/apiman/login-actions/required-action?code=[CODE-06]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-03]; KEYCLOAK_SESSION=apiman/[KC_SESS-01]; KC_RESTART=[RESTART-03]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 302</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Location:"https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"KEYCLOAK_IDENTITY=[IDENTITY-04]; Version=1; Path=/auth/realms/apiman; HttpOnly</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> KEYCLOAK_SESSION=apiman/[KC_SESS-01]; Version=1; Expires=Wed, 06-Jan-2016 06:10:02 GMT; Max-Age=36000; Path=/auth/realms/apiman</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/apiman; HttpOnly"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"><br>
</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">GET https://[API_MANAGER]/apimanui/libs/bootstrap-select/bootstrap-select.css?cid=2015-10-23_16:50&state=[STATE-03]&code=[CODE-07]</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Cookie:"OAuth_Token_Request_State=445/4a12cbb7-c16d-42a5-90c7-cf296616674a; OAuth_Token_Request_State=[STATE-02]; JSESSIONID=[APIMAN_JSESS-01].[SUFFIX-02]"</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">Response: 400</span></div>
<div><span style="font-family: Consolas; font-size: 12px;"> Set-Cookie:"OAuth_Token_Request_State=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT"</span></div>
</blockquote>
</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<div style="font-size: 14px;">*** Meanwhile, in Keycloak — the logs have the following segment repeatedly: ***</div>
<div style="font-size: 14px;"><br>
</div>
<div>
<blockquote style="margin: 0px 0px 0px 40px; border: none; padding: 0px;">
<div><span style="font-family: Consolas; font-size: 12px;">DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-23) replacing relative valid redirect with: https://[API_MANAGER]/apimanui/*</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-23) AUTHENTICATE</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-23) authenticator: auth-cookie</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-23) token active - active: true, issued-at: 1,452,019,157, not-before: 1,452,014,329</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-23) authenticator SUCCESS: auth-cookie</span></div>
<div><span style="font-family: Consolas; font-size: 12px;">DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-23) execution is processed</span></div>
</blockquote>
</div>
<blockquote style="margin: 0px 0px 0px 40px; border: none; padding: 0px;">
<div><br>
</div>
</blockquote>
</div>
<div style="font-size: 14px;">
<blockquote style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"></blockquote>
</div>
</div>
</body>
</html>