[keycloak-user] Infinite loop on one of our service's home page

Thomas Darimont thomas.darimont at googlemail.com
Fri Nov 4 14:10:35 EDT 2016


do you see any errors in the keycloak logs?

I experienced the same error multiple times - reasons were either wrong
proxy configuration or wrong keycloak.json or database connectivity
problems on a load-balanced second Keycloak instance.

Since the service on localhost is not affected it could be that your proxy
configuration is wrong.

If you do ssl-termination in the proxy make sure that you set the right
proxy headers:

(from an older mailing list thread)

proxy_pass http://your-upstream-here;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # <- only set this if you’re
using SSL

Also remember to configure proxy-address forwarding in undertow:

echo SETUP: Configure Undertow Proxy-Address-Forwarding for use behind
Reverse Proxy


For additional debugging you could also configure undertow in Wildfly to
dump all requests to the log

$KEYCLOAK_HOME/bin/jboss-cli.sh -c




Which ssl-mode did you configure in Keycloak admin-console?
Keycloak handles certain IPs differently when set to "ssl-mode: external".
This could explain why
See "ssl-mode" at: https://keycloak.gitbooks.io/server-adminstration-guide/

Try setting "ssl-required: none" in keycloak.json on the second service (if
internal and after ssl termination...):


Am 04.11.2016 4:20 nachm. schrieb "Ian Lachance" <
ian.lachance at bionxinternational.com>:

> Hi,
> We are running Keycloak in production on one of our servers. For now,
> Keycloak is used to connect to two of our services, both of them acceded by
> One of them (service #1) is in the same server as Keycloak, and the other
> (service #2) is on another server.
> We use NGINX to proxy pass to the three services: Keycloak and service #1
> on some localhost ports, and service #2 on an external ip address.
> When we authenticate on service #1, we have no problem, but when we
> authenticate on service #2, an infinite loop occurs on the home page.
> When we look at the Keycloak Adapter on service #2, we can see the
> Keycloak object with the data (user, token, etc.), but the page refresh
> automatically.
> When the page refresh, it's not caused by a logout call on our Javascript
> code.
> Do you have any idea what it can be?
> We are using Keycloak version 2.2.1 FINAL.
> Thank you,
> Ian
> Nothing in this message is intended to constitute an electronic signature
> unless a specific statement to the contrary is included in this message.
> Confidentiality Note: This message is intended only for the person or
> entity to which it is addressed. It may contain confidential and/or
> privileged material. Any review, transmission, dissemination or other use,
> or taking of any action in reliance upon this message by persons or
> entities other than the intended recipient is strictly prohibited and may
> be unlawful. Communication by email is not a secure medium and, as part of
> the transmission process, this message may be copied to servers operated by
> third parties while in transit. If you received this message in error,
> please immediately contact the sender by reply email and delete it from
> your computer, including any attachments.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list