As part of an application server deployment the root context is protected by a simple basic authentication application that lists the currently installed application on the server. If after accessing this secured page a user attempts to then access one of the Keycloak protected apps, a public client, on the same server the browser is sending the basic authorization header with the requests. This in turn seems to be causing the org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter filter to return true from the AUTHORIZATION_HEADER request header request matcher that is setup by this filter which in turn then causes the redirect to Keycloak on the initial login to be the initially requested URL and not the /sso/login you normally get and we go round in a redirect loop. The adapter has the basic-auth property set to false and I can see that a change has been made in this area since 3.1.0.Final which is what we are currently on. https://issues.jboss.org/browse/KEYCLOAK-5499 Anyone have any ideas, other than sorting out the root context app to not use basic auth. ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com