11:59 p.m.
I've got an infinite redirect loop that I'm trying (and failing...) to
figure out. I'm using Keycloak 3.4.3, and in front of that I'm using
Apache httpd mod_proxy for load balancing. If I clear my cookies, or if I
fire up a new Incognito window, everything is fine. But otherwise, when I
try to log in to my application, I get an infinite redirect loop
(technically, a "302 Found", with the same Location: header each time:
http://
<host>:7192/auth/realms/<realm>/login-actions/authenticate?client_id=<client>&tab_id=...)
I've had a look at what's going over the wire with wireshark, and haven't
been particularly enlightened. I'm just using http for now, not https, but
will do that later.
Interesting parts of my keycloak config are
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener
name="default"
socket-binding="httpish"
enable-http2="true"
proxy-address-forwarding="true"
/>
...
</server>
<servlet-container name="default">
<session-cookie name="AUTH_SESSION_ID" http-only="true"
/>
...
</servlet-container>
In my httpd config there's
ProxyPreserveHost Off
ProxyAddHeaders On
Listen 7192
ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
ProxyPassReverse / balancer://auth/
<Proxy balancer://auth>
BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
</Proxy>
(Yes I just have one BalancerMember - was attempting to isolate this issue.)
The httpd is listening on port 7192, keycloak is on port 7193.
Since everything is fine if I use an Incognito window, or if I clear my
cookies, I have to imagine that the problem is with the cookies. I looked
at what was going over the wire - in the infinitely looping case, I see two
(different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
"good" case, I see a (different) AUTH_SESSION_ID cookie and one KC_RESTART
cookie. The KC_RESTART cookie is nearly identical between the two except
for the "state" field. This was less helpful than I had hoped.
Any help, hints, or things to debug will be greatly appreciated. Thanks in
advance!
-Mike Yoder
3:30 p.m.
Hi Michael,
Do you experience this issue while trying to log in to Keycloak Admin
console itself? Or is it some client application protected by Keycloak?
If latter, could you please share client config?
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-07-09 at 14:59 -0700, Michael Yoder wrote:
I've got an infinite redirect loop that I'm trying (and
failing...)
to
figure out. I'm using Keycloak 3.4.3, and in front of that I'm using
Apache httpd mod_proxy for load balancing. If I clear my cookies, or
if I
fire up a new Incognito window, everything is fine. But otherwise,
when I
try to log in to my application, I get an infinite redirect loop
(technically, a "302 Found", with the same Location: header each
time:
http://
<host>:7192/auth/realms/<realm>/login-
actions/authenticate?client_id=<client>&tab_id=...)
I've had a look at what's going over the wire with wireshark, and
haven't
been particularly enlightened. I'm just using http for now, not
https, but
will do that later.
Interesting parts of my keycloak config are
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener
name="default"
socket-binding="httpish"
enable-http2="true"
proxy-address-forwarding="true"
/>
...
</server>
<servlet-container name="default">
<session-cookie name="AUTH_SESSION_ID" http-only="true"
/>
...
</servlet-container>
In my httpd config there's
ProxyPreserveHost Off
ProxyAddHeaders On
Listen 7192
ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
ProxyPassReverse / balancer://auth/
<Proxy balancer://auth>
BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
</Proxy>
(Yes I just have one BalancerMember - was attempting to isolate this
issue.)
The httpd is listening on port 7192, keycloak is on port 7193.
Since everything is fine if I use an Incognito window, or if I clear
my
cookies, I have to imagine that the problem is with the cookies. I
looked
at what was going over the wire - in the infinitely looping case, I
see two
(different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
"good" case, I see a (different) AUTH_SESSION_ID cookie and one
KC_RESTART
cookie. The KC_RESTART cookie is nearly identical between the two
except
for the "state" field. This was less helpful than I had hoped.
Any help, hints, or things to debug will be greatly appreciated.
Thanks in
advance!
-Mike Yoder
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:21 p.m.
On Tue, Jul 10, 2018 at 6:30 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
Do you experience this issue while trying to log in to Keycloak
Admin
console itself? Or is it some client application protected by Keycloak?
If latter, could you please share client config?
I see this both when logging in to the admin console and to the client
application.
I'll take your suggestion about upgrading and report back later. Thanks for
replying!
-Mike
8:18 p.m.
To my surprise this seems to have gone away after the upgrade. I'll keep an
eye on it, but thanks!
-Mike
On Tue, Jul 10, 2018 at 2:21 PM Michael Yoder <myoder(a)cloudera.com> wrote:
On Tue, Jul 10, 2018 at 6:30 AM Dmitry Telegin <dt(a)acutus.pro>
wrote:
> Do you experience this issue while trying to log in to Keycloak Admin
> console itself? Or is it some client application protected by Keycloak?
> If latter, could you please share client config?
>
I see this both when logging in to the admin console and to the client
application.
I'll take your suggestion about upgrading and report back later. Thanks
for replying!
-Mike
3:31 p.m.
Quick followup - I'd also suggest that you try latest Keycloak 4.1.0 to
see if the issue persists.
Dmitry
On Mon, 2018-07-09 at 14:59 -0700, Michael Yoder wrote:
I've got an infinite redirect loop that I'm trying (and
failing...)
to
figure out. I'm using Keycloak 3.4.3, and in front of that I'm using
Apache httpd mod_proxy for load balancing. If I clear my cookies, or
if I
fire up a new Incognito window, everything is fine. But otherwise,
when I
try to log in to my application, I get an infinite redirect loop
(technically, a "302 Found", with the same Location: header each
time:
http://
<host>:7192/auth/realms/<realm>/login-
actions/authenticate?client_id=<client>&tab_id=...)
I've had a look at what's going over the wire with wireshark, and
haven't
been particularly enlightened. I'm just using http for now, not
https, but
will do that later.
Interesting parts of my keycloak config are
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener
name="default"
socket-binding="httpish"
enable-http2="true"
proxy-address-forwarding="true"
/>
...
</server>
<servlet-container name="default">
<session-cookie name="AUTH_SESSION_ID" http-only="true"
/>
...
</servlet-container>
In my httpd config there's
ProxyPreserveHost Off
ProxyAddHeaders On
Listen 7192
ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
ProxyPassReverse / balancer://auth/
<Proxy balancer://auth>
BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
</Proxy>
(Yes I just have one BalancerMember - was attempting to isolate this
issue.)
The httpd is listening on port 7192, keycloak is on port 7193.
Since everything is fine if I use an Incognito window, or if I clear
my
cookies, I have to imagine that the problem is with the cookies. I
looked
at what was going over the wire - in the infinitely looping case, I
see two
(different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
"good" case, I see a (different) AUTH_SESSION_ID cookie and one
KC_RESTART
cookie. The KC_RESTART cookie is nearly identical between the two
except
for the "state" field. This was less helpful than I had hoped.
Any help, hints, or things to debug will be greatly appreciated.
Thanks in
advance!
-Mike Yoder
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2114
days inactive
2118
days old
4 comments
2 participants
participants (2)
-
Dmitry Telegin -
Michael Yoder