[keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load balancing proxy -> infinite redirect

Michael Yoder myoder at cloudera.com
Mon Jul 9 17:59:50 EDT 2018


I've got an infinite redirect loop that I'm trying (and failing...) to
figure out.  I'm using Keycloak 3.4.3, and in front of that I'm using
Apache httpd mod_proxy for load balancing.  If I clear my cookies, or if I
fire up a new Incognito window, everything is fine.  But otherwise, when I
try to log in to my application, I get an infinite redirect loop
(technically, a "302 Found", with the same Location: header each time:
http://
<host>:7192/auth/realms/<realm>/login-actions/authenticate?client_id=<client>&tab_id=...)

I've had a look at what's going over the wire with wireshark, and haven't
been particularly enlightened. I'm just using http for now, not https, but
will do that later.

Interesting parts of my keycloak config are

    <subsystem xmlns="urn:jboss:domain:undertow:4.0">
      <buffer-cache name="default"/>
      <server name="default-server">
        <http-listener
                       name="default"
                       socket-binding="httpish"
                       enable-http2="true"
                       proxy-address-forwarding="true"
        />
        ...
      </server>
      <servlet-container name="default">
        <session-cookie name="AUTH_SESSION_ID" http-only="true" />
        ...
      </servlet-container>

In my httpd config there's

ProxyPreserveHost Off
ProxyAddHeaders On
Listen 7192
ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
ProxyPassReverse / balancer://auth/
<Proxy balancer://auth>
BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
</Proxy>

(Yes I just have one BalancerMember - was attempting to isolate this issue.)

The httpd is listening on port 7192, keycloak is on port 7193.

Since everything is fine if I use an Incognito window, or if I clear my
cookies, I have to imagine that the problem is with the cookies. I looked
at what was going over the wire - in the infinitely looping case, I see two
(different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
"good" case, I see a (different) AUTH_SESSION_ID cookie and one KC_RESTART
cookie. The KC_RESTART cookie is nearly identical between the two except
for the "state" field. This was less helpful than I had hoped.

Any help, hints, or things to debug will be greatly appreciated. Thanks in
advance!
-Mike Yoder


More information about the keycloak-user mailing list