Keycloak integration issue.

[somejfn]

Hi,

Under operator/kiali v1.32 on K8s 1.19. Once the user is send to the Keycloak URL for authentication then back, the redirection sends the user back to the Kiali login page.

The Kiali CR:

apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  namespace: istio-system
  name: kiali
  labels:
    helm.sh/chart: kiali-operator-1.32.0
    app: kiali-operator
    app.kubernetes.io/name: kiali-operator
    app.kubernetes.io/instance: kiali-operator
    version: "v1.32.0"
    app.kubernetes.io/version: "v1.32.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: "kiali-operator"
annotations:
  ansible.sdk.operatorframework.io/verbosity: "1"
spec:
  api:
    namespaces:
      exclude:
      - "istio-operator"
      - "kube.*"
      - "default"
  auth:
    strategy: "openid"
    openid:
      client_id: "kiali-lab"
      issuer_uri: "https://keycloak-001.kd.io/auth/realms/kubernetes"
      insecure_skip_verify_tls: true
      username_claim: "email"
      disable_rbac: true
      scopes: ["openid", "groups", "email"]
  deployment:
    logger:
      log_level: debug
    accessible_namespaces:
    - '**'
    image_version: "v1.32.0"
    ingress_enabled: true
    override_ingress_yaml:
      metadata:
        annotations:
          kubernetes.io/ingress.class: my-nginx-ingress
          nginx.ingress.kubernetes.io/secure-backends: "false"
          nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
          nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
          nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
      spec:
        tls:
        - hosts:
          - kiali.my-nginx-ingress.lab01.kd.io
          secretName: kiali-tls
        rules:
        - host: kiali.a1-nginx-ingress.lab01.kd.io
          http:
            paths:
            - path: /kiali
              backend:
                serviceName: kiali
                servicePort: 20001

I've setup keycloak as shown here but whenever I authenticate successfully, the redirection sends me back to the Kiali login page. In kiali's logs I only get this (raw token truncated):

2021-04-12T15:40:53Z INF Not handling OpenId code flow authentication: State parameter is empty or invalid.
2021-04-12T15:41:45Z DBG Raw token to validate: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJaSnNKTVRrUF84RkhWUTWDW1p5eKV0Ol3SpL4vxS5LSGk9q1Tebbfa...
2021-04-12T15:41:45Z INF Not handling OpenId code flow authentication: No nonce code present. Login window timed out.

The nginx ingress controller logs:

127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:40 +0000] "GET /kiali/api/auth/openid_redirect HTTP/2.0" 302 426 "https://kiali.my-nginx-ingress.lab01.kd.io/kiali/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 687 0.002 [istio-system-kiali-20001] 10.35.3.82:20001 426 0.002 302 32897b2ca410d9a5ddc4625c30fbae8b
127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:41 +0000] "GET /kiali?state=7a45ac0af495006180aeef4d43d626f008bb6a031bc22cc3bdc805fa-210412155640&session_state=cd3ccffe-23a3-44a9-adc2-1dde775bba45&code=d844a7e5-c05b-4d39-82d7-4800b9a1455e.cd3ccffe-23a3-44a9-adc2-1dde775bba45.f93182c8-7deb-4565-a1d4-2b4685af2f40 HTTP/2.0" 302 30 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 238 0.068 [istio-system-kiali-20001] 10.35.3.82:20001 30 0.068 302 21d1435bb1889fe6104c5c0d653c9e1c
127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:41 +0000] "GET /kiali/ HTTP/2.0" 200 1147 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 25 0.001 [istio-system-kiali-20001] 10.35.3.82:20001 1147 0.001 200 ba3766817b8e5ebf14c36ba30535b330
127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:41 +0000] "GET /kiali/env.js HTTP/2.0" 304 0 "https://kiali.my-nginx-ingress.lab01.kd.io/kiali/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 70 0.001 [istio-system-kiali-20001] 10.35.3.82:20001 0 0.000 304 9a1bebe6f8999373c3c3a8d9c55187b6
127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:41 +0000] "GET /kiali/static/css/main.09005ded.chunk.css HTTP/2.0" 200 25379 "https://kiali.my-nginx-ingress.lab01.kd.io/kiali/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 48 0.006 [istio-system-kiali-20001] 10.35.3.82:20001 25475 0.006 200 854c435f072b443dc54a45b99d90907f
127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:41 +0000] "GET /kiali/static/css/2.7bbf3254.chunk.css HTTP/2.0" 200 78015 "https://kiali.my-nginx-ingress.lab01.kd.io/kiali/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 67 0.022 [istio-system-kiali-20001] 10.35.3.82:20001 78292 0.022 200 8f8300754debb8fb9e1be8bfef5626e7
127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:42 +0000] "GET /kiali/static/media/logo-lightbkg.ebc0da8d.svg HTTP/2.0" 200 936 "https://kiali.my-nginx-ingress.lab01.kd.io/kiali/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 108 0.003 [istio-system-kiali-20001] 10.35.3.82:20001 936 0.003 200 a568c99f84949cd48babe38aea329e83
127.0.0.1 - [127.0.0.1] - - [12/Apr/2021:15:56:42 +0000] "GET /kiali/api/auth/info HTTP/2.0" 200 147 "https://kiali.my-nginx-ingress.lab01.kd.io/kiali/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" 112 0.003 [istio-system-kiali-20001] 10.35.3.82:20001 147 0.003 200 c8122d141acbc43f35b7aeadbe09e144

Looking for help...how to troubleshoot this further

[israel-hdez]

I see there is a log line "DBG Raw token to validate: "
It shouldn't be there. But it help us...

How long is the token show in that log line?

[israel-hdez]

I see you are using disable_rbac: true.
Also, I see you are using scopes: ["openid", "groups", "email"]

Perhaps, drop the "groups" scope? i.e. use scopes: ["openid", "email"].
Since you are using disable_rbac: true, I think you don't need to request the groups. This may solve the issue.

[somejfn]

Ultimately I want to use rbac... I was only disabling it to troubleshoot this issue. Even with the scope reduced in Kiali, the groups are still returned in the token and I have the same issue.

[somejfn]

Removing the groups from the Keycloak client scopes does work. Should I raise an issue to get this worked out ?

[israel-hdez]

@jshaughn Same long token issue that we talked on on Friday. But this is affecting Keycloak...

[israel-hdez]

@somejfn Yes, go ahead and create an issue. Mention your token length.
The problem is that the returned token is quite long. The issue is not specific to Keycloak.

[somejfn]

I just found out the problem is only with users authenticated in keycloak through ldap federation. Im able to login just fine with a user if it's internal to keycloak so I presume the JWT token returned is somehow different in this case. There is a long list of groups in the case of the ldap user (131) but that's about it. Could this be a problem ?

[jshaughn]

Yes, as I understand it. The large number of groups contributes to the token length, and we are having an issue with long tokens.

[somejfn]

Logged #3874

[somejfn]

Confirmed the fix is effective in v1.33.0. Thank you all !