Cookie Not Found - HA - GCP Load Balancer

Hi All,

I have architecture as below:

  1. GCP Load Balancer (https://ssolb.xxx.com)
  2. Keycloak Quarkus 17.0 installed in VM without Docker (https://sso1.xxx.com & https://sso2.xxx.com)
  3. Frontend Apps (Next.Js)

Keycloak Conf:

db=postgres
db-username=keycloak
db-password=random
db-url=jdbc:postgresql://10.xxx.x.x/keycloak
https-certificate-file=${kc.home.dir}conf/chain.pem
https-certificate-key-file=${kc.home.dir}conf/key.key
proxy=reencrypt
hostname=sso1.xxx.com
https-protocols=TLSv1.3,TLSv1.2
https-port=443
metrics-enabled=true
cache-config-file=cache-ispn.xml
cache=ispn
log-level=INFO

When I use login with Keycloak, it will redirect to https://ssolb-xxx.com/realms/xxxrealms/protocol/openid-connect/auth

image

And then when I input credentials or using gmail, it will redirect to https://sso1.xxx.com/realms/xxxrealms/login-actions/authenticate and give me Cookies not found error
image

If check in browser console, it only give me 400 error when I login

POST https://sso1.xxx.com/realms/xxxrealms/login-actions/authenticate?session_code=oux54hhs3kWECp4iUN1QREliN6ZLjdJ6Nhb-HwQfIlM&execution=ff6d886b-23b2-44f4-b06b-366e63754be9&client_id=xxxxx&tab_id=w8Tf9OqxhAs 400

I also tried to debug the http header and so far here are my found:

Via: 1.1 google
X-Forwarded-For: 180.243.11.xxx, 35.219.xxx.xx
X-Forwarded-Proto: https
Connection: Keep-Alive
host: ssolb.xxx.com

180.xx → my notebook IP
35.xx → LB IP

So basically GCP Loadbalancer Add LB IP in X-Forwarded-For after Client-IP.
And I also found the header host is lowercase

I also found my endpoint is mixed between https://sso-lb.xxx.com and https://sso1.xxx.com.

{
  "issuer": "https://sso1.xxx.com/realms/master",
  "authorization_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/auth",
  "token_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token",
  "introspection_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/logout",
  "frontchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "jwks_uri": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/certs",
  "check_session_iframe": "https://sso1.xxx.com/realms/master/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:device_code",
    "urn:openid:params:grant-type:ciba"
  ],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "id_token_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "userinfo_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512",
    "none"
  ],
  "request_object_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512",
    "none"
  ],
  "request_object_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "request_object_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post",
    "query.jwt",
    "fragment.jwt",
    "form_post.jwt",
    "jwt"
  ],
  "registration_endpoint": "https://ssolb.xxx.com/realms/master/clients-registrations/openid-connect",
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "introspection_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "authorization_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "authorization_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "authorization_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "claims_supported": [
    "aud",
    "sub",
    "iss",
    "auth_time",
    "name",
    "given_name",
    "family_name",
    "preferred_username",
    "email",
    "acr"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": true,
  "scopes_supported": [
    "openid",
    "offline_access",
    "roles",
    "email",
    "profile",
    "address",
    "web-origins",
    "microprofile-jwt",
    "phone"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "tls_client_certificate_bound_access_tokens": true,
  "revocation_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/revoke",
  "revocation_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "revocation_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "device_authorization_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/auth/device",
  "backchannel_token_delivery_modes_supported": [
    "poll",
    "ping"
  ],
  "backchannel_authentication_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/ciba/auth",
  "backchannel_authentication_request_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "ES256",
    "RS256",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "require_pushed_authorization_requests": false,
  "pushed_authorization_request_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/par/request",
  "mtls_endpoint_aliases": {
    "token_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token",
    "revocation_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/revoke",
    "introspection_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token/introspect",
    "device_authorization_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/auth/device",
    "registration_endpoint": "https://ssolb.xxx.com/realms/master/clients-registrations/openid-connect",
    "userinfo_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/userinfo",
    "pushed_authorization_request_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/par/request",
    "backchannel_authentication_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/ciba/auth"
  }
}
  1. Does Keycloak support host header in lower case?
  2. Does Keycloak OK with additional ip adresss (LB IP) in X-Forwarded-For? GCP seems have to append LB IP in X-Fowarded-For and I couldn’t delete it
  3. Any hint for this Cookies not found? Very appreciate, because it already takes a week troubleshooting :frowning:
  1. Does Keycloak support host header in lower case?

Yes, it does

  1. Does Keycloak OK with additional ip adresss (LB IP) in X-Forwarded-For? GCP seems have to append LB IP in X-Fowarded-For and I couldn’t delete it

Yes, it does

  1. Any hint for this Cookies not found? Very appreciate, because it already takes a week troubleshooting :frowning:

The answer is hostname=sso1.xxx.com should be changed to hostname=ssolb.xxx.com for all machines, so all cookies and page redirection will be setup as ssolb.xxx.com