[keycloak-user] Login works sometimes, sometimes doesn't

Wed Apr 13 21:53:14 EDT 2016

Hi,

So it looks like the previous fix to the logout URL did the trick.
I've now run into a much harder to solve problem (and harder to
describe). We are inconsistently able to login to our client
applications using keycloak for authentication. Trying the same
username+password has about an 80% chance of logging you in correctly.
It has a 15% chance of logging you in correctly if a keycloak node
within a keycloak cluster dies. I made up the %'s but its based on
what we are observing. So a user is actually able to login in the
sense of putting in a username+password and getting redirected to the
client applications, after that things may or may not go wrong. Often
times they will access the client application with the correct role
and everything will work ok. Sometimes though if something goes wrong
they will be redirected back to the client and will not be able to
access the client correctly. The below stacktraces usually show up in
those cases. I think it might be related to keycloak cache + browser
cache having weird issues as the only way to I've seen to resolve this
issues is to destroy the session cache within keycloak and get rid of
the browser cache (browser cache is more of a fault of the client app
probably). Even with this it can take multiple attempts before a user
regains the ability to go to the keycloak admin page and still may or
may not lead to a successful redirect to the client with a correctly
authenticated account (could start this whole weird loop again with
the stracktraces below). I don't know if anyone has come into an issue
like this. I was also hoping to find examples of client applications
that have their own accounts which somehow get mapped to keycloak
accounts but I haven't seen any.

Environment
------------------------
- keycloak 1.9.1.Final
- running using standalone-HA.xml
- using JGroups+JDBC_Ping
- postgres database
- on AWS
- some global roles (set on user accounts)

Client
------------
- running on Wildfly10
- using keycloak subsystem
- client protocol = openid-connect
- access type = confidential
- standard flow enabled
- client authenticator = client id and secret

Keycloak 1.9.1 server error
-------------------------------------------
2016-04-14 01:20:11,112 WARN  [org.keycloak.events] (default task-17)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890,
clientId=some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=b2744ba1-7f74-4849-8077-b17659af3095,
client_auth_method=client-secret
2016-04-14 01:29:27,402 WARN  [org.keycloak.events] (default task-2)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId=
some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=58a57076-1f8e-404e-813b-13c31abe8efb,
client_auth_method=client-secret
2016-04-14 01:29:27,402 WARN  [org.keycloak.events] (default task-2)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId=
some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=58a57076-1f8e-404e-813b-13c31abe8efb,
client_auth_method=client-secret

Wildfly 10 client server error:
-----------------------------------------
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah at example.com ] failed to turn
code into token
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah at example.com ] status from
server: 400
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah at example.com ]
{"error_description":"Code not found","error":"invalid_grant"}