bitnami
[bitnami/keycloak] initial 'user' login results in looping reload of page, never logging in
Name and Version
bitnami/keycloak:21.1.3
What architecture are you using?
amd64
What steps will reproduce the bug?
Standard helm deployment using values.yaml below.
Note:
- I can use port-forwarding to the keycloak service and everything works. This issue is occurring when I try to access via FQDN using the ingress.
Are you using any custom parameters or values?
keycloak:
image:
debug: true # use to increase logging
global:
storageClass: tkg-storage-policy
auth:
adminPassword: "something"
production: false
# enable use of reverse proxy
proxy: edge
ingress:
enabled: true
ingressClassName: avi-lb
hostname: keycloak.k.home.net
pathType: Prefix
tls: true
annotations:
cert-manager.io/cluster-issuer: "vault-issuer"
postgresql:
enabled: true
auth:
password: 8e917492-1111-2222-3333-7643d204b9b2
What is the expected behavior?
Would expect to be able to login as 'user'.
What do you see instead?
After a clean deployment I have the opportunity to login as 'user'. I can see it is checking the password because if I log in with the wrong password it asks me to login again. It accepts the correct password but then continually reloads the page only showing the spinning console icon. I can see in the logs:
2024-05-08 20:53:59,616 WARN [org.keycloak.events] (executor-thread-1) type="REFRESH_TOKEN_ERROR", realmId="c1919950-95aa-48db-a5e8-7a6e78226b96", clientId="security-admin-console", userId="null", ipAddress="10.224.250.31", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
2024-05-08 20:54:05,037 WARN [org.keycloak.events] (executor-thread-3) type="REFRESH_TOKEN_ERROR", realmId="c1919950-95aa-48db-a5e8-7a6e78226b96", clientId="security-admin-console", userId="null", ipAddress="10.224.250.31", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
2024-05-08 20:54:09,744 WARN [org.keycloak.events] (executor-thread-4) type="REFRESH_TOKEN_ERROR", realmId="c1919950-95aa-48db-a5e8-7a6e78226b96", clientId="security-admin-console", userId="null", ipAddress="10.224.250.31", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
Additional information
$ kubectl version
Client Version: v1.28.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.10+vmware.1-fips.1
I switched from using ingressClassName "avi-lb" to "nginx" and everything started working.
I'm looking into why "avi-lb" is experiencing an issue but "nginx" does not.
Hi @lknite
Thanks for sharing this info with the community.
I'm unfamiliar with Avi IngressClass object, so keeping it open so you can share any advance with this.
Someone from avi collected a packet trace from my client system with keycloak working using nginx, and a packet trace via avi using avi-lb. Will report back once they've had a chance to look. (maybe? https://avinetworks.com/docs/latest/x-forwarded-for-header-insertion/)
For me the issue was that "HTTP-Only Cookies" was checked https://avinetworks.com/docs/latest/x-forwarded-for-header-insertion/img/application-profile-1.png
@dgilsonAfelio do you happen to also know about gateway-api? I was trying to get gateway-api to work while I simultaneously worked to get the avi-lb ingress to work. I thought maybe unchecking "HTTP-Only Cookies" might also cause gateway-api to work but so far no luck.
