Search code examples
authenticationkeycloakhaproxy

Keycloak 20.0.2 does not accept backchannel connection

I am having some issue with having Keycloak 20.0.2 working for my web application.

I have my keycloak URL accessible at:

https://example.com/white-graduation/keycloak/auth

This is designed for backend application to work with keycloak. It fundamentally usse haproxy as a reverse proxy to connect the https address to my internal keycloak.

So far, all frontend login has been working, without any issue. I can also have access to the keycloak control console UI.

The internal keycloak address is at:

http://loginservice:8080/white-graudation/keycloak/auth

This is designed for backend application to work with keycloak.

However, the backend login is facing a 401 issue.

By experimenting with different curl call in the container that's running the backend, I found that:

curl -I -X GET https://example.com/white-graduation/keycloak/auth/realms/shirasaki-academy/protocol/openid-connect/userinfo -H "Authorization: Bearer Example-Bearer-Token"

This API call gives 200, but

curl -I -X GET https://loginservice:8080/white-graduation/keycloak/auth/realms/shirasaki-academy/protocol/openid-connect/userinfo -H "Authorization: Bearer Example-Bearer-Token"

This gives 401. i.e. back-channel didn't work.

I did an expansion of Example-Bearer-Token, it does show that the iss is indeed only https://example.com/white-graduation/keycloak/auth/realms/shirasaki-academy, because the backend still uses frontend to login. But it should still work.

My Keycloak 20.0.2's setting:

KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=whatever
KC_HTTP_RELATIVE_PATH=/white-graduation/keycloak/auth
KC_HOSTNAME_ADMIN_URL=https://example.com/white-graduation/keycloak/auth
KC_HOSTNAME_STRICT=false
KC_HTTP_ENABLED=true
KC_HTTP_PORT=8080
KC_HOSTNAME_STRICT_HTTPS=false
KC_PROXY=edge

The Keycloak 20.0.2's Quarkus is run through:

/opt/keycloak/bin/kc.sh start-dev --import-realm --log-level=org.keycloak.events:debug --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true

Note that I did not set KC_HOSTNAME_STRICT_BACKCHANNEL but this is by default already false, which under such case should allow back-channel connection to work.

Note that this isn't the recommended setting for production environment. But this isn't a production environment after all.

Solution

  • Problem solved by setting:

    KC_HOSTNAME_URL=https://example.com/white-graduation/keycloak/auth

    which means, KC_HOSTNAME_URL == KC_HOSTNAME_ADMIN_URL

    After such, the internal API point starts working.

    Not really sure why...but at least this solves my problem.