Keycloak - Network response was not OK.

[modem7]

Expected Behavior

For Keycloak to be able to login with oauth2proxy in front of it.

Current Behavior

Works fine without oauth2proxy middleware.

Unexpected Application Error!
Network response was not OK.
Error: Network response was not OK.
    at cc (https://auth.mydomain.com/resources/1sfoa/admin/keycloak.v2/assets/index-k_eS9LF7.js:48:296953)
    at async #i (https://auth.mydomain.com/resources/1sfoa/admin/keycloak.v2/assets/index-k_eS9LF7.js:48:299325)

Steps to Reproduce (for bugs)

 ##~~~~~~~~~~~~~~##
 ##Oauth Services##
 ##~~~~~~~~~~~~~~##

  ############
  ##Keycloak##
  ############

  keycloak:
    image: quay.io/keycloak/keycloak
    container_name: Keycloak
    command: start
    environment:
      - TZ=$TZ
      - KC_HOSTNAME=auth.$DOMAINNAME
      - KC_PROXY_ADDRESS_FORWARDING=true
      - KC_PROXY=edge
      # - KEYCLOAK_ADMIN=$KEYCLOAK_ADMIN_USR
      # - KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PWD
      - KC_DB=mariadb
      - KC_DB_VENDOR=mariadb
      - KC_DB_SCHEMA=$KEYCLOAK_DATABASE
      - KC_DB_URL=jdbc:mariadb://keycloakdb:3306/$KEYCLOAK_DATABASE
      - KC_DB_USERNAME=$KEYCLOAK_DB_USER
      - KC_DB_PASSWORD=$KEYCLOAK_DB_PWD
      - KC_HEALTH_ENABLED=true
    networks:
      pihole:
        ipv4_address: '172.22.0.148'
      isolated:
    ports:
      - 41159:8080
    volumes:
      - $USERDIR/Keycloak:/opt/keycloak/data
    labels:
      - backup
      - autoheal=true
      - "traefik.enable=true"
      ## HTTP Routers Auth Bypass
      - "traefik.http.routers.keycloak-rtr-bypass.entrypoints=https"
      - "traefik.http.routers.keycloak-rtr-bypass.rule=Host(`auth.$DOMAINNAME`) && PathPrefix(`/js/`) || PathPrefix(`/realms/`) || PathPrefix(`/resources/`) || Path(`/robots.txt`)"
      - "traefik.http.routers.keycloak-rtr-bypass.tls=true"
      - "traefik.http.routers.keycloak-rtr-bypass.priority=100"
      ## HTTP Routers
      - "traefik.http.routers.keycloak-rtr.entrypoints=https"
      - "traefik.http.routers.keycloak-rtr.rule=Host(`auth.$DOMAINNAME`)"
      - "traefik.http.routers.keycloak-rtr.tls=true"
      - "traefik.http.routers.keycloak-rtr-ping.priority=99"
      ## Middlewares
      - "traefik.http.routers.keycloak-rtr-bypass.middlewares=chain-no-auth@file"
      # - "traefik.http.routers.keycloak-rtr.middlewares=chain-no-auth@file"
      - "traefik.http.routers.keycloak-rtr.middlewares=chain-oauth-admins@file"
      ## HTTP Services
      - "traefik.http.routers.keycloak-rtr.service=keycloak-svc"
      - "traefik.http.routers.keycloak-rtr-bypass.service=keycloak-svc"
      - "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
      ## Homepage
      - homepage.name=Keycloak
      - homepage.group=System
      - homepage.icon=keycloak
      - homepage.href=https://auth.$DOMAINNAME/admin
    depends_on:
      - keycloakdb
    restart: always

  keycloakdb:
    image: linuxserver/mariadb
    container_name: Keycloak-DB
    networks:
      - isolated
    expose:
      - "3306"
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - MYSQL_DATABASE=$KEYCLOAK_DATABASE
      - MYSQL_USER=$KEYCLOAK_DB_USER
      - MYSQL_PASSWORD=$KEYCLOAK_DB_PWD
      - MYSQL_ROOT_PASSWORD=$KEYCLOAK_DB_ROOT_PASSWORD
    logging:
      driver: "local"
      options:
        max-size: 10m
        max-file: "3"
    volumes:
      - $USERDIR/Keycloak/DB:/config
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "--silent"]
      interval: 30s
      timeout: 1s
      retries: 5
    labels:
      - backup
      - autoheal=true
    restart: always

  ################
  ##Oauth2-Proxy##
  ################

  oauth2proxyadmins:
    image: bitnami/oauth2-proxy
    container_name: Keycloak-Oauth-Admins
    command:
      - --http-address
      - 0.0.0.0:4180
    environment:
      - OAUTH2_PROXY_ALLOWED_ROLES=admin
      - OAUTH2_PROXY_CLIENT_ID=oauth2-proxy
      - OAUTH2_PROXY_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
      - OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=true
      - OAUTH2_PROXY_COOKIE_DOMAINS=.$DOMAINNAME
      - OAUTH2_PROXY_COOKIE_SECRET=$KEYCLOAK_COOKIE_SECRET
      - OAUTH2_PROXY_COOKIE_SECURE=true
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_LOGIN_URL=https://auth.$DOMAINNAME/realms/traefik/protocol/openid-connect/auth
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://auth.$DOMAINNAME/realms/traefik
      - OAUTH2_PROXY_OIDC_JWKS_URL=https://auth.$DOMAINNAME/realms/traefik/protocol/openid-connect/certs
      - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
      - OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_PROVIDER=keycloak-oidc 
      - OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Keycloak
      - OAUTH2_PROXY_REDEEM_URL=https://auth.$DOMAINNAME/realms/traefik/protocol/openid-connect/token
      - OAUTH2_PROXY_REDIRECT_URL=https://oauth.$DOMAINNAME/oauth2/callback
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_SCOPE=profile openid email groups
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      - OAUTH2_PROXY_SKIP_AUTH_STRIP_HEADERS=false
      - OAUTH2_PROXY_REAL_CLIENT_IP_HEADER=X-Forwarded-For
      - OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_UPSTREAMS=static://202
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.$DOMAINNAME
      - OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://oauth2proxyredis:6379
      - OAUTH2_PROXY_SESSION_STORE_TYPE=redis
    labels:
      - backup
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.oauth2-rtr.entrypoints=https"
      - "traefik.http.routers.oauth2-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      - "traefik.http.routers.oauth2-rtr.tls=true"
      ## HTTP Services
      - "traefik.http.routers.oauth2-rtr.service=oauth2-svc@docker"
      - "traefik.http.services.oauth2-svc.loadbalancer.server.port=4180"
      ## Middlewares
      # - "traefik.http.routers.oauth2-rtr.middlewares=chain-oauth-admins@file"
      - "traefik.http.routers.oauth2-rtr.middlewares=chain-no-auth@file"
    logging:
      driver: "local"
      options:
        max-size: 10m
        max-file: "3"
    networks:
      pihole:
        ipv4_address: '172.22.0.149'
      isolated:
    restart: always
    depends_on:
      - keycloak
      - oauth2proxyredis

  oauth2proxyusers:
    image: bitnami/oauth2-proxy
    container_name: Keycloak-Oauth-Users
    command:
      - --http-address
      - 0.0.0.0:4180
    environment:
      - OAUTH2_PROXY_ALLOWED_ROLES=users
      - OAUTH2_PROXY_CLIENT_ID=oauth2-proxy
      - OAUTH2_PROXY_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET
      - OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST=true
      - OAUTH2_PROXY_COOKIE_DOMAINS=.$DOMAINNAME
      - OAUTH2_PROXY_COOKIE_SECRET=$KEYCLOAK_COOKIE_SECRET
      - OAUTH2_PROXY_COOKIE_SECURE=true
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_LOGIN_URL=https://auth.$DOMAINNAME/realms/traefik/protocol/openid-connect/auth
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://auth.$DOMAINNAME/realms/traefik
      - OAUTH2_PROXY_OIDC_JWKS_URL=https://auth.$DOMAINNAME/realms/traefik/protocol/openid-connect/certs
      - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
      - OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_PROVIDER=keycloak-oidc 
      - OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Keycloak
      - OAUTH2_PROXY_REDEEM_URL=https://auth.$DOMAINNAME/realms/traefik/protocol/openid-connect/token
      - OAUTH2_PROXY_REDIRECT_URL=https://oauth.$DOMAINNAME/oauth2/callback
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_SCOPE=profile openid email groups
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      - OAUTH2_PROXY_SKIP_AUTH_STRIP_HEADERS=false
      - OAUTH2_PROXY_REAL_CLIENT_IP_HEADER=X-Forwarded-For
      - OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_UPSTREAMS=static://202
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.$DOMAINNAME
      - OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://oauth2proxyredis:6379
      - OAUTH2_PROXY_SESSION_STORE_TYPE=redis
    labels:
      - backup
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.oauth2-rtr.entrypoints=https"
      - "traefik.http.routers.oauth2-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      - "traefik.http.routers.oauth2-rtr.tls=true"
      ## HTTP Services
      - "traefik.http.routers.oauth2-rtr.service=oauth2-svc@docker"
      - "traefik.http.services.oauth2-svc.loadbalancer.server.port=4180"
      ## Middlewares
      # - "traefik.http.routers.oauth2-rtr.middlewares=chain-oauth-admins@file"
      - "traefik.http.routers.oauth2-rtr.middlewares=chain-no-auth@file"
    logging:
      driver: "local"
      options:
        max-size: 10m
        max-file: "3"
    networks:
      pihole:
        ipv4_address: '172.22.0.150'
      isolated:
    restart: always
    depends_on:
      - keycloak
      - oauth2proxyredis

  #########
  ##Redis##
  #########

  oauth2proxyredis:
    container_name: Keycloak-Oauth-Redis
    image: redis:alpine
    networks:
      isolated:
    volumes:
      - $USERDIR/Redis:/data
    logging:
      driver: "local"
      options:
        max-size: 10m
        max-file: "3"
    restart: always
    depends_on:
      - keycloak

Traefik middlewares:

    middlewares-oauth-admins:
      forwardAuth:
        address: "http://oauth2proxyadmins:4180"
        trustForwardHeader: true
        AuthResponseHeaders:
          - X-Auth-Request-Access-Token
          - Authorization
          - X-Auth-Request-User
          - X-Auth-Request-Email
          - Set-Cookie
          - X-Auth-User
          - X-Secret
          - X-Forwarded-User
          - X-WebAuth-User

[modem7]

Looks like I had a typo from an errant C+P.

Should have been:

      ## HTTP Routers
      - "traefik.http.routers.keycloak-rtr.entrypoints=https"
      - "traefik.http.routers.keycloak-rtr.rule=Host(`auth.$DOMAINNAME`)"
      - "traefik.http.routers.keycloak-rtr.tls=true"
      - "traefik.http.routers.keycloak-rtr.priority=99"

instead of:

      ## HTTP Routers
      - "traefik.http.routers.keycloak-rtr.entrypoints=https"
      - "traefik.http.routers.keycloak-rtr.rule=Host(`auth.$DOMAINNAME`)"
      - "traefik.http.routers.keycloak-rtr.tls=true"
      - "traefik.http.routers.keycloak-rtr-ping.priority=99"

[modem7]

Nope, issue is still there, unfortunately.

[tamerlan-musayev]

Hi, @modem7 did you resolve the issue? I have the same issue :(

[modem7]

Hi, @modem7 did you resolve the issue? I have the same issue :(

Unfortunately not. I now rely solely on 2fa and crowdsec to protect the front-end.

It's secure enough, but I'd certainly prefer the additional protection.

[jamesregis]

Same issue for me. I am using a simple docker-compose.yml file as follow

version: '3'
services:
  keycloak:
    image: quay.io/keycloak/keycloak:23.0.0
    container_name: keycloak
    ports:
      - "8080:8080"
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
    command: 
      - start-dev 
    depends_on:
      - postgres
    networks:
      - keycloak_network

  postgres:
      image: postgres:latest
      container_name: postgres
      ports:
        - "5432:5432"
      environment:
        - POSTGRES_DB=keycloak
        - POSTGRES_USER=keycloak
        - POSTGRES_PASSWORD=keycloak
      networks:
        - keycloak_network
networks:
  keycloak_network:
    driver: bridge

[integsoft-company]

I have same error! Is there any workaround?

[michael-schmidt-mck]

Same Issue here.

After migrating to 23.0.6 when accessing the SAML client, we are presented with "invalid request" and reason "invalid_destination". Upon trying to check the client scopes for the SAML client in the admin UI we are presented with "Network response was not OK". No further log entries for that in the keycloak log file.

Also, recreating the SAML client did not help. Same issue after that.

[github-actions[bot]]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[taru-j-a-i-n]

I am getting the same issue on using keyclaok quay.io/keycloak/keycloak:23.0.6 image for docker

[tal763]

Why was this closed? I am having this issue as well. There are a number of threads on this issue closed without resolution. Doesn’t do anybody any good.

[ShaneCray]

I am receiving this issue on Keycloak version 25.0.0 when I attempt to import SAML config from an XML file!!!!

[bheem1992]

please check your DB connection of keycloak

[waheb-benzaid]

please check your DB connection of keycloak

what do you mean by that ? explain more please !

[nishant884]

I was getting the same issue, i am using microk8s single node cluster on GCE, After i took the image pull to latest (25.0.2) it started working fine, also to mention in my ingress resource i am not doing anything (related to proxy header) here is my keycloak config

PS: doing ssl termination at ingress

    - name: keycloak
      image: quay.io/keycloak/keycloak:latest
      args: ["start"]
      env:
        - name: KEYCLOAK_ADMIN
          value: "xxxxx"
        - name: KEYCLOAK_ADMIN_PASSWORD
          value: "xxxxx"
        - name: KC_HTTP_ENABLED
          value: "true"
        - name: KC_HTTP_PORT
          value: "8080"
        - name: KC_PROXY_HEADERS
          value: "xforwarded"
        - name: KC_HOSTNAME
          value: "https://auth.xxxxxx.com"
        - name: KC_HOSTNAME_BACKCHANNEL_DYNAMIC
          value: "true"
        - name: KC_HOSTNAME_ADMIN
          value: "https://auth.xxxxx.com/"