Search code examples
authenticationhttp-redirectkeycloakopenid-connectistio

Unable to redirect back to application page after keycloak login

I have deployed the OIDC provider-keycloak in a k8s cluster and it is exposed as a load balancer. I'm using this along with Istio to redirect back to my application after successful login in keycloak. The application is accessible at https://<istio-ingressgateway-ip>/hello

When I hit https://<istio-ingressgateway-ip>/hello, it is correctly re-directing me to Keycloak login page at https://<keycloak-ip>/auth/realms/<realm-name>/protocol/openid-connect/auth

However, after entering the username and password for the user, I'm not able to get the redirection back to my application at https://<istio-ingressgateway-ip>/hello. I think the user set up is correct as I'm successfully able to login to the keycloak user console at http://<keycloak-ip>/auth/realms/<realm-name>/account

I have configured the below values as the 'valid redirect URIs' in keycloak client:

https://<istio-ingressgateway-ip>
https://<istio-ingressgateway-ip>/hello/oauth/callback
https://<istio-ingressgateway-ip>/*
https://<keycloak-ip>/auth/realms/<realm-name>/protocol/openid-connect/auth/oauth/callback
https://<keycloak-ip>/auth/realms/<realm-name>/protocol/openid-connect/auth

Can please someone let me know what is missing here for the redirection.

Solution

  • Assuming you are using Authservice for the authentication and that your configuration is correct. I had the same issue and when I looked at the logs from the authservice container in my pod, I got to know that authservice failed to obtain the access token in exchange with the authorization code. The issue, as stated by Ryan from Authservice was:

    When the Authservice tried to gracefully shutdown the TLS connection, and the server on the other side did not participate fully in the graceful shutdown.

    This issue now has been fixed, and you can build a new docker image from the master branch to be able to fix it. More details about the issue and its resolution can be found on this github issue.

    If in case this is not the issue, then there could be a problem with the flow from keycloak, you can use OpenID debugger to get the authorization code and then you can use that code to get the access token. This will help you identify if there is an issue on keycloak part.

    If your configurations are correct and the above fix doesn't solve your issue, you should consider creating an issue on github with the logs from your authservice container.