Yet another Keycloak redirect issue #507

tmeuze · 2022-02-24T03:13:57Z

tmeuze
Feb 24, 2022

I know you are probably so tired of these Keycloak redirect threads. I'm sorry.

It was working perfectly yesterday, and now I'm getting the infinite redirect. I have Dashy at base.svc.and and Keycloak at key.svc.and.

Here is my Keycloak client:

I've tried all variety of with/without the wildcard.

Here's a excerpt of the console - fresh login:

authentik/api[authentik-default]: 200 GET /api/v3/flows/executor/authorize/?query=scope%3Dopenid%26state%3Dp_IrhczJsqwNm-lo2JP4do9Pa4IkltXwPGYMYt_pcNE.6YhygCBuKIU.dashy%26response_type%3Dcode%26client_id%3Dce27d58c8d35a3464e0e65b5267429ee13a6bf91%26redirect_uri%3Dhttps%253A%252F%252Fkey.svc.and%252Fauth%252Frealms%252Fmaster%252Fbroker%252Foidc%252Fendpoint%26nonce%3D8H2LgJjbyZw-nsDkhqTZJw [instrument.ts:125:35](https://<authentik>/static/node_modules/@sentry/utils/src/instrument.ts)
authentik/flows: redirecting to url from server [https://key.svc.and/auth/realms/master/broker/oidc/endpoint?…_IrhczJsqwNm-lo2JP4do9Pa4IkltXwPGYMYt_pcNE.6YhygCBuKIU.dashy](https://key.svc.and/auth/realms/master/broker/oidc/endpoint?code=63d0cd204dcc42968ffda48b16e3c787&state=p_IrhczJsqwNm-lo2JP4do9Pa4IkltXwPGYMYt_pcNE.6YhygCBuKIU.dashy) [instrument.ts:125:35](https://<authentik>/static/node_modules/@sentry/utils/src/instrument.ts)
GEThttps://<authentik>/static/dist/assets/icons/icon.png

GEThttps://key.svc.and/auth/realms/master/broker/oidc/endpoint?code=63d0cd204dcc42968ffda48b16e3c787&state=p_IrhczJsqwNm-lo2JP4do9Pa4IkltXwPGYMYt_pcNE.6YhygCBuKIU.dashy
[[HTTP/2 302 Found 438ms]]()

authentik/ws: closed ws connection: [object CloseEvent] [instrument.ts:125:35](https://<authentik>/static/node_modules/@sentry/utils/src/instrument.ts)
authentik/ws: reconnecting ws in 400ms [instrument.ts:125:35](https://<authentik>/static/node_modules/@sentry/utils/src/instrument.ts)
GETwss://<authentik>/ws/client/
GEThttps://base.svc.and/#state=56735157-ac92-46a3-ba5a-adcfc07b3efe&session_state=3391d23e-7a91-4e60-8317-3ef1bbfab79e&code=c53fda08-9e0a-4be8-ba42-d81658102c04.3391d23e-7a91-4e60-8317-3ef1bbfab79e.bf8a63de-9dc7-4b68-8d00-1b4ea537feff
[[HTTP/2 304 Not Modified 5ms]]()

GEThttps://base.svc.and/css/chunk-vendors.d8067ad8.css
[[HTTP/2 304 Not Modified 6ms]]()

POSThttps://<authentik>/api/v3/sentry/
GEThttps://base.svc.and/js/dashy.ccbbc581.js
[[HTTP/2 304 Not Modified 6ms]]()

GEThttps://base.svc.and/js/chunk-vendors.b4da22d5.js
[[HTTP/2 304 Not Modified 6ms]]()

GEThttps://base.svc.and/css/dashy.e14390ea.css
[[HTTP/2 304 Not Modified 6ms]]()

GEThttps://<authentik>/ws/client/
POSThttps://<authentik>/api/v3/sentry/
GEThttps://base.svc.and/img/icons/apple-touch-icon-152x152.png
[[HTTP/2 200 OK 0ms]]()

GEThttps://key.svc.and/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html
[[HTTP/2 200 OK 9ms]]()

GEThttps://base.svc.and/web-icons/favicon-32x32.png
[[HTTP/2 200 OK 0ms]]()

GEThttps://key.svc.and/auth/realms/master/protocol/openid-connect/3p-cookies/step2.html
[[HTTP/2 200 OK 8ms]]()

GEThttps://key.svc.and/auth/realms/master/protocol/openid-connect/login-status-iframe.html
[[HTTP/2 200 OK 8ms]]()

GEThttps://base.svc.and/

It should be noted that I'm using an OIDC provider - Authentik - to log into Keycloak. But I don't think that is relevant necessarily.

It seems that everything is running smoothly with Keycloak:

And I do have CORS policy specified in Caddy:

base.svc.and {
	reverse_proxy 10.0.1.30:9230 {
		header_down "Access-Control-Allow-Origin *"
	}
}
...
key.svc.and {
	reverse_proxy 10.0.1.30:9350 {
                ...
		header_down "Access-Control-Allow-Origin *"
	}
}

(Both places for good measure - I have no idea what I'm doing)

If anyone can catch what I'm doing wrong or provide some insight, I would greatly appreciate it!

Answered by Lissy93

Feb 24, 2022

Am starting to have nightmares about Keycloak!!

So based on your Caddy config, I think the issue is with the wildcard in your proxy. For requests that transport sensitive info like credentials, setting the accept header to a wildcard (*) is not allowed - see MDN Docs.

So the solution should be something like this:

base.svc.and {
  reverse_proxy 10.0.1.30:9230 {
    header_down "Access-Control-Allow-Origin key.svc.and"
  }
}

But it's weird that this was working previously, and now isn't. I've not made any changes that could affect auth for a couple of weeks, and Keycloak is pretty stable, so I think it's most likely the proxy thing.

For more info, see: Troubleshooting → Keycloak Redirect …

View full answer

Lissy93 · 2022-02-24T18:23:12Z

Lissy93
Feb 24, 2022
Maintainer

Am starting to have nightmares about Keycloak!!

So based on your Caddy config, I think the issue is with the wildcard in your proxy. For requests that transport sensitive info like credentials, setting the accept header to a wildcard (*) is not allowed - see MDN Docs.

So the solution should be something like this:

base.svc.and {
  reverse_proxy 10.0.1.30:9230 {
    header_down "Access-Control-Allow-Origin key.svc.and"
  }
}

But it's weird that this was working previously, and now isn't. I've not made any changes that could affect auth for a couple of weeks, and Keycloak is pretty stable, so I think it's most likely the proxy thing.

For more info, see: Troubleshooting → Keycloak Redirect Error
Hope that helps :)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Yet another Keycloak redirect issue #507

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Yet another Keycloak redirect issue #507

tmeuze Feb 24, 2022

Replies: 1 comment

Lissy93 Feb 24, 2022 Maintainer

tmeuze
Feb 24, 2022

Lissy93
Feb 24, 2022
Maintainer