[keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load balancing proxy -> infinite redirect

Dmitry Telegin dt at acutus.pro
Tue Jul 10 09:31:24 EDT 2018 

Quick followup - I'd also suggest that you try latest Keycloak 4.1.0 to
see if the issue persists.

Dmitry

On Mon, 2018-07-09 at 14:59 -0700, Michael Yoder wrote:
> I've got an infinite redirect loop that I'm trying (and failing...)
> to
> figure out.  I'm using Keycloak 3.4.3, and in front of that I'm using
> Apache httpd mod_proxy for load balancing.  If I clear my cookies, or
> if I
> fire up a new Incognito window, everything is fine.  But otherwise,
> when I
> try to log in to my application, I get an infinite redirect loop
> (technically, a "302 Found", with the same Location: header each
> time:
> http://
> <host>:7192/auth/realms/<realm>/login-
> actions/authenticate?client_id=<client>&tab_id=...)
> 
> I've had a look at what's going over the wire with wireshark, and
> haven't
> been particularly enlightened. I'm just using http for now, not
> https, but
> will do that later.
> 
> Interesting parts of my keycloak config are
> 
>     <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>       <buffer-cache name="default"/>
>       <server name="default-server">
>         <http-listener
>                        name="default"
>                        socket-binding="httpish"
>                        enable-http2="true"
>                        proxy-address-forwarding="true"
>         />
>         ...
>       </server>
>       <servlet-container name="default">
>         <session-cookie name="AUTH_SESSION_ID" http-only="true" />
>         ...
>       </servlet-container>
> 
> In my httpd config there's
> 
> ProxyPreserveHost Off
> ProxyAddHeaders On
> Listen 7192
> ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
> ProxyPassReverse / balancer://auth/
> <Proxy balancer://auth>
> BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
> </Proxy>
> 
> (Yes I just have one BalancerMember - was attempting to isolate this
> issue.)
> 
> The httpd is listening on port 7192, keycloak is on port 7193.
> 
> Since everything is fine if I use an Incognito window, or if I clear
> my
> cookies, I have to imagine that the problem is with the cookies. I
> looked
> at what was going over the wire - in the infinitely looping case, I
> see two
> (different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
> "good" case, I see a (different) AUTH_SESSION_ID cookie and one
> KC_RESTART
> cookie. The KC_RESTART cookie is nearly identical between the two
> except
> for the "state" field. This was less helpful than I had hoped.
> 
> Any help, hints, or things to debug will be greatly appreciated.
> Thanks in
> advance!
> -Mike Yoder
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list