[keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load balancing proxy -> infinite redirect

Dmitry Telegin dt at acutus.pro
Tue Jul 10 09:30:22 EDT 2018 

Hi Michael,

Do you experience this issue while trying to log in to Keycloak Admin
console itself? Or is it some client application protected by Keycloak?
If latter, could you please share client config?

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-09 at 14:59 -0700, Michael Yoder wrote:
> I've got an infinite redirect loop that I'm trying (and failing...)
> to
> figure out.  I'm using Keycloak 3.4.3, and in front of that I'm using
> Apache httpd mod_proxy for load balancing.  If I clear my cookies, or
> if I
> fire up a new Incognito window, everything is fine.  But otherwise,
> when I
> try to log in to my application, I get an infinite redirect loop
> (technically, a "302 Found", with the same Location: header each
> time:
> http://
> <host>:7192/auth/realms/<realm>/login-
> actions/authenticate?client_id=<client>&tab_id=...)
> 
> I've had a look at what's going over the wire with wireshark, and
> haven't
> been particularly enlightened. I'm just using http for now, not
> https, but
> will do that later.
> 
> Interesting parts of my keycloak config are
> 
>     <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>       <buffer-cache name="default"/>
>       <server name="default-server">
>         <http-listener
>                        name="default"
>                        socket-binding="httpish"
>                        enable-http2="true"
>                        proxy-address-forwarding="true"
>         />
>         ...
>       </server>
>       <servlet-container name="default">
>         <session-cookie name="AUTH_SESSION_ID" http-only="true" />
>         ...
>       </servlet-container>
> 
> In my httpd config there's
> 
> ProxyPreserveHost Off
> ProxyAddHeaders On
> Listen 7192
> ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
> ProxyPassReverse / balancer://auth/
> <Proxy balancer://auth>
> BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
> </Proxy>
> 
> (Yes I just have one BalancerMember - was attempting to isolate this
> issue.)
> 
> The httpd is listening on port 7192, keycloak is on port 7193.
> 
> Since everything is fine if I use an Incognito window, or if I clear
> my
> cookies, I have to imagine that the problem is with the cookies. I
> looked
> at what was going over the wire - in the infinitely looping case, I
> see two
> (different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
> "good" case, I see a (different) AUTH_SESSION_ID cookie and one
> KC_RESTART
> cookie. The KC_RESTART cookie is nearly identical between the two
> except
> for the "state" field. This was less helpful than I had hoped.
> 
> Any help, hints, or things to debug will be greatly appreciated.
> Thanks in
> advance!
> -Mike Yoder
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list