Authentication with ADFS using saml ends up in too many redirects (expired_code)

Flurin · January 11, 2022, 4:53pm

Hi
We are running Keycloak 15.0.2 in a docker container and apache as a reverse proxy in front of it. An external identity provider that uses the saml protocol is configured. The IDP is an ADFS (Active Directory Federation Services).
This configuration was running fine for about 1 Month now, but now the authentication via external provider suddenly stopped working. The error in the browser is “too many redirects”. Looking gin the Keycloak log we can see one call to

"/auth/realms/avelon/broker/saml/endpoint"

followed by many calls to

"/auth/realms/avelon/login-actions/authenticate?client_id=avelon-web-front-end&tab_id=H3SYCFRl11s"

(where tab_id is changed after every request)

The error in the log is always error=expired_code

Lookin into the keycloak code it seems that this “expired_code” is set in the SessionCodeChecks.restartAuthenticationSessionFromCookie

Any help on what could possibly happen why it stopped working after about one month and what could be done to fix it is highly appreciated. thank you very much.

Please tell me what additional information is required from my side

Regards
Flurin

enabling trace log reveals the following log:

15:53:22,286 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-89) Will use client ‘avelon-web-front-end’ in back-to-application link
15:53:22,286 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by name cache hit: avelon-web-front-end
15:53:22,286 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by id cache hit: avelon-web-front-end
15:53:22,287 DEBUG [org.keycloak.services.util.CookieHelper] (default task-89) Could not find any cookies with name {0}, trying {1}
15:53:22,287 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Not found AUTH_SESSION_ID cookie
15:53:22,287 DEBUG [org.keycloak.services.util.CookieHelper] (default task-89) Could not find any cookies with name {0}, trying {1}
15:53:22,287 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Not found AUTH_SESSION_ID cookie
15:53:22,289 DEBUG [org.keycloak.services.util.CookieHelper] (default task-89) Could not find any cookies with name {0}, trying {1}
15:53:22,289 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Not found AUTH_SESSION_ID cookie
15:53:22,289 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-89) Authentication session not found. Trying to restart from cookie.
15:53:22,290 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-89) Found key: realm=avelon kid=1855d501-2d04-49bf-b084-1b8fe42825b9 algorithm=HS256 use=SIG
15:53:22,293 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by name cache hit: avelon-web-front-end
15:53:22,293 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by id cache hit: avelon-web-front-end
15:53:22,294 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: ADD_WITH_LIFESPAN on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,294 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Set AUTH_SESSION_ID cookie with value 5dda0298-9326-41d0-8eb7-1144f65f5b93.d00b873c23bd
15:53:22,295 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,295 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,295 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,295 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,295 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,296 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,296 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,297 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,298 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,298 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,298 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,299 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,299 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,299 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on 5dda0298-9326-41d0-8eb7-1144f65f5b93
15:53:22,300 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-89) Authentication session restart from cookie succeeded. Redirecting to https://zkbtest.avelon.cloud/auth/realms/avelon/login-actions/authenticate?client_id=avelon-web-front-end&tab_id=H3SYCFRl11s
15:53:22,301 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-89) JtaTransactionWrapper commit
15:53:22,301 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-89) JtaTransactionWrapper end
15:53:22,302 TRACE [org.keycloak.events] (default task-89) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=avelon, clientId=null, userId=null, ipAddress=62.240.192.35, error=expired_code, restart_after_timeout=true,
authSessionParentId=5dda0298-9326-41d0-8eb7-1144f65f5b93, authSessionTabId=H3SYCFRl11s, requestUri=https://zkbtest.avelon.cloud/auth/realms/avelon/broker/zkbadfs/endpoint, stackTrace=
org.keycloak.keycloak-services@15.0.2//org.keycloak.events.log.JBossLoggingEventListenerProvider.logEvent(JBossLoggingEventListenerProvider.java:114)
org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.events.EventListenerTransaction.commitImpl(EventListenerTransaction.java:62)
org.keycloak.keycloak-server-spi@15.0.2//org.keycloak.models.AbstractKeycloakTransaction.commit(AbstractKeycloakTransaction.java:48)
org.keycloak.keycloak-services@15.0.2//org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:146)
org.keycloak.keycloak-services@15.0.2//org.keycloak.services.filters.AbstractRequestFilter.close(AbstractRequestFilter.java:64)
org.keycloak.keycloak-services@15.0.2//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:49)
org.keycloak.keycloak-wildfly-extensions@15.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
…
15:53:22,788 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-89) new JtaTransactionWrapper
15:53:22,788 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-89) was existing? false
15:53:22,789 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) realm by name cache hit: avelon
15:53:22,789 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) by id cache hit: avelon
15:53:22,790 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-89) Will use client ‘avelon-web-front-end’ in back-to-application link
15:53:22,790 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by name cache hit: avelon-web-front-end
15:53:22,790 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by id cache hit: avelon-web-front-end
15:53:22,791 DEBUG [org.keycloak.services.util.CookieHelper] (default task-89) Could not find any cookies with name {0}, trying {1}
15:53:22,791 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Not found AUTH_SESSION_ID cookie
15:53:22,791 DEBUG [org.keycloak.services.util.CookieHelper] (default task-89) Could not find any cookies with name {0}, trying {1}
15:53:22,791 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Not found AUTH_SESSION_ID cookie
15:53:22,792 DEBUG [org.keycloak.services.util.CookieHelper] (default task-89) Could not find any cookies with name {0}, trying {1}
15:53:22,792 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Not found AUTH_SESSION_ID cookie
15:53:22,792 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-89) Authentication session not found. Trying to restart from cookie.
15:53:22,792 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-89) Found key: realm=avelon kid=1855d501-2d04-49bf-b084-1b8fe42825b9 algorithm=HS256 use=SIG
15:53:22,793 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by name cache hit: avelon-web-front-end
15:53:22,793 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-89) client by id cache hit: avelon-web-front-end
15:53:22,793 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: ADD_WITH_LIFESPAN on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,793 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-89) Set AUTH_SESSION_ID cookie with value f32b99e3-774f-48b5-9a61-eef2d519b0a9.d00b873c23bd
15:53:22,793 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,793 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,794 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,795 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-89) Adding cache operation: REPLACE on f32b99e3-774f-48b5-9a61-eef2d519b0a9
15:53:22,795 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-89) Authentication session restart from cookie succeeded. Redirecting to https://zkbtest.avelon.cloud/auth/realms/avelon/login-actions/authenticate?client_id=avelon-web-front-end&tab_id=_v7gZhtqLA4
15:53:22,795 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-89) JtaTransactionWrapper commit
15:53:22,795 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-89) JtaTransactionWrapper end
15:53:22,796 TRACE [org.keycloak.events] (default task-89) type=LOGIN_ERROR, realmId=avelon, clientId=null, userId=null, ipAddress=62.240.192.35, error=expired_code, restart_after_timeout=true, authSessionParentId=f32b99e3-774f-48b5-9a61-eef2d519b0a9, authSessionTabId=_v7gZhtqLA4, requestUri=https://zkbtest.avelon.cloud/auth/realms/avelon/login-actions/authenticate?client_id=avelon-web-front-end&tab_id=H3SYCFRl11s, stackTrace=
org.keycloak.keycloak-services@15.0.2//org.keycloak.events.log.JBossLoggingEventListenerProvider.logEvent(JBossLoggingEventListenerProvider.java:114)
org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.events.EventListenerTransaction.commitImpl(EventListenerTransaction.java:62)
org.keycloak.keycloak-server-spi@15.0.2//org.keycloak.models.AbstractKeycloakTransaction.commit(AbstractKeycloakTransaction.java:48)
org.keycloak.keycloak-services@15.0.2//org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:146)
org.keycloak.keycloak-services@15.0.2//org.keycloak.services.filters.AbstractRequestFilter.close(AbstractRequestFilter.java:64)
org.keycloak.keycloak-services@15.0.2//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:49)
org.keycloak.keycloak-wildfly-extensions@15.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

Flurin · January 12, 2022, 3:48pm

Just in case someone stumbled upon this question. The issue was that we used sameSite=Strict for all cookies
but apparently, that does not work any longer after the recent browser update (January 2022) so we changed it to sameSite=None and now it works again

Topic		Replies	Views
"invalid Federated Identity Action Message" while connecting with SAML based IdP Getting advice authentication , client-configuration , identity-brokering , saml	5	3617	February 3, 2022
Keycloak as SAML sp - login loop on failure saml	2	2046	June 8, 2021
Getting Error as invalid Federated Identity Action Message when using Keycloak to connect with SAML based Identity Provider authentication , identity-brokering , saml	0	611	November 30, 2021
Keycloak as a broker between Application that only accepts OIDC, and ADFS which has been setup as SAML Securing applications authentication , identity-brokering , oidc , saml	1	354	May 3, 2023
IDP initiated SSO from ADFS (Active Directory Federation Service) to Keycloak is having error Getting advice authentication , identity-brokering , user-federation , saml	2	566	November 17, 2023

Authentication with ADFS using saml ends up in too many redirects (expired_code)

Related Topics