Hi Michael,
Do you experience this issue while trying to log in to Keycloak Admin
console itself? Or is it some client application protected by Keycloak?
If latter, could you please share client config?
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Mon, 2018-07-09 at 14:59 -0700, Michael Yoder wrote:
I've got an infinite redirect loop that I'm trying (and
failing...)
to
figure out. I'm using Keycloak 3.4.3, and in front of that I'm using
Apache httpd mod_proxy for load balancing. If I clear my cookies, or
if I
fire up a new Incognito window, everything is fine. But otherwise,
when I
try to log in to my application, I get an infinite redirect loop
(technically, a "302 Found", with the same Location: header each
time:
http://
<host>:7192/auth/realms/<realm>/login-
actions/authenticate?client_id=<client>&tab_id=...)
I've had a look at what's going over the wire with wireshark, and
haven't
been particularly enlightened. I'm just using http for now, not
https, but
will do that later.
Interesting parts of my keycloak config are
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener
name="default"
socket-binding="httpish"
enable-http2="true"
proxy-address-forwarding="true"
/>
...
</server>
<servlet-container name="default">
<session-cookie name="AUTH_SESSION_ID" http-only="true"
/>
...
</servlet-container>
In my httpd config there's
ProxyPreserveHost Off
ProxyAddHeaders On
Listen 7192
ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
ProxyPassReverse / balancer://auth/
<Proxy balancer://auth>
BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
</Proxy>
(Yes I just have one BalancerMember - was attempting to isolate this
issue.)
The httpd is listening on port 7192, keycloak is on port 7193.
Since everything is fine if I use an Incognito window, or if I clear
my
cookies, I have to imagine that the problem is with the cookies. I
looked
at what was going over the wire - in the infinitely looping case, I
see two
(different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
"good" case, I see a (different) AUTH_SESSION_ID cookie and one
KC_RESTART
cookie. The KC_RESTART cookie is nearly identical between the two
except
for the "state" field. This was less helpful than I had hoped.
Any help, hints, or things to debug will be greatly appreciated.
Thanks in
advance!
-Mike Yoder
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user