[BUG] Redirect loop when keycloak auth is enabled

[kafeinnet]

Environment

Self-Hosted (Docker)

Version

2.0.7

Describe the problem

Hi,

Dashy cause a redirect loop when keycloak auth is enable and I'm not sure how I can debug that.

The app keeps redirecting to my keycloak server (/auth/realms/myrealm/protocol/openid-connect/auth?client_id=... and all the auth workflow).
Then keycloak redirect to the app callback https://fqdn/#state=....
Then there is a POST request on /auth/realms/myrealm/protocol/openid-connect/token and keycloak returns a JSON objet which seems to be a valid bearer token.
And then the app refresh itself and everything starts again.

The keycloak session is OK, the returned token is OK, some other apps are using this keycloak instance without problem and dashy is working OK if I don't enable keycloak auth. Is there any way to be sure this a a dashy bug or to find out what is happening ?

\fab

Additional info

No response

Please tick the boxes

• You are using a supported version of Dashy (check the first two digits of the version number)
• You've checked that this issue hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[kafeinnet]

Oh, I haven't starred the repo, my bad.
And I can confirm I check all the documentations, logs, sections and opened issues.

[Lissy93]

No worries, I've reopened it :)

Do you know what version of Keycloak you're running?

If it's an older version (before v17.0.0), then this will be the same as #564.
Basically Keycloak changed their API endpoint, and I updated the code accordingly in fd2b3d8, but this then dropped support for older versions of Keycloak. I will soon put a fix out (adding an option in appConfig.auth.keycloak for legacy support).

---

Otherwise, this issue is covered in Troubleshooting Docs --> Keycloak Redirect Error, I've pasted below

Fixing Keycloak Redirect Error

Check the browser's console output, if you've not set any headers, you will likely see a CORS error here, which would be the source of the issue.

You need to allow Dashy to make requests to Keycloak, and Keycloak to redirect to Dashy. The way you do this depends on how you're hosting these applications / which proxy you are using, and examples can be found in the Management Docs.

For example, add the access control header to Keycloak, like:

Access-Control-Allow-Origin [URL-of Dashy]

Note that for requests that transport sensitive info like credentials, setting the accept header to a wildcard (*) is not allowed - see MDN Docs, so you will need to specify the actual URL.

You should also ensure that Keycloak is correctly configured, with a user, realm and application, and be sure that you have set a valid redirect URL in Keycloak (screenshot).

For more details on how to set headers, see the Example Headers in the management docs, or reference the documentation for your proxy.

---

Similar questions have been raised before, and the users shared their solutions, so see also:

• Keycloak - Kubernetes - ingress.nginx infinite auth loop #479 (comment)
• [BUG] keycloak configuration just gives a black screen, no dashboard, no login prompt #520 (comment)

[kafeinnet]

I use keycloak 15 !

I upgrade it to the latest on my dev environment as soon as I can. I have to do it anyway.

[kafeinnet]

I just upgraded keycloak from v15 to v17. This new version breaks most of my other apps because the URI does not start with /auth anymore. So, I guess that's what #564 is about.

But, unfortunately, there is still the same redirect loop.

Here is a screenshot of my browser's console (up to date firefox).

The home.something domain is dashy and auth.something is keycloak.

[Lissy93]

To fix that, see the links in my comment above ⬆️

Specifically:

• Keycloak - Kubernetes - ingress.nginx infinite auth loop #479 (comment)
• [BUG] keycloak configuration just gives a black screen, no dashboard, no login prompt #520 (comment)
• Documentation: Troubleshooting → Keycloak Redirect Error

[kafeinnet]

I double checked the CORS headers, they seem fine.

Maybe I am missing something obvious...

BTW, I can see the returned token. So I doubt that's a CORS problem here.

[liss-bot]

This issue has gone 6 weeks without an update. To keep the ticket open, please indicate that it is still relevant in a comment below. Otherwise it will be closed in 5 working days.

[PlusaN]

@Lissy93 @kafeinnet Hi!

Fixing Keycloak Redirect Error

For example, add the access control header to Keycloak, like:
Access-Control-Allow-Origin [URL-of Dashy]

This is a bad way for Keycloak, don't use this method! If we add such headers, we will get endless redirect loop.
To solve the problem with CORS headers, you need to fill in the "Web Origins" field in the Keycloak settings:

"Web Origins" tooltip: Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.

It's working for me (without adding headers on NGINX server). Keycloak 18.0.0

[xcojonny]

Worked for me too. Using keycloak 16 and Træfik. Thanks 😊 @PlusaN

[liss-bot]

This issue has gone 6 weeks without an update. To keep the ticket open, please indicate that it is still relevant in a comment below. Otherwise it will be closed in 5 working days.

[liss-bot]

This issue was automatically closed because it has been stalled for over 6 weeks with no activity.

[Lissy93]

I forgot to say, but this issue was fixed in #663