Hi All,
I have architecture as below:
- GCP Load Balancer (https://ssolb.xxx.com)
- Keycloak Quarkus 17.0 installed in VM without Docker (https://sso1.xxx.com & https://sso2.xxx.com)
- Frontend Apps (Next.Js)
Keycloak Conf:
db=postgres
db-username=keycloak
db-password=random
db-url=jdbc:postgresql://10.xxx.x.x/keycloak
https-certificate-file=${kc.home.dir}conf/chain.pem
https-certificate-key-file=${kc.home.dir}conf/key.key
proxy=reencrypt
hostname=sso1.xxx.com
https-protocols=TLSv1.3,TLSv1.2
https-port=443
metrics-enabled=true
cache-config-file=cache-ispn.xml
cache=ispn
log-level=INFO
When I use login with Keycloak, it will redirect to https://ssolb-xxx.com/realms/xxxrealms/protocol/openid-connect/auth
And then when I input credentials or using gmail, it will redirect to https://sso1.xxx.com/realms/xxxrealms/login-actions/authenticate and give me Cookies not found error
If check in browser console, it only give me 400 error when I login
POST https://sso1.xxx.com/realms/xxxrealms/login-actions/authenticate?session_code=oux54hhs3kWECp4iUN1QREliN6ZLjdJ6Nhb-HwQfIlM&execution=ff6d886b-23b2-44f4-b06b-366e63754be9&client_id=xxxxx&tab_id=w8Tf9OqxhAs 400
I also tried to debug the http header and so far here are my found:
Via: 1.1 google
X-Forwarded-For: 180.243.11.xxx, 35.219.xxx.xx
X-Forwarded-Proto: https
Connection: Keep-Alive
host: ssolb.xxx.com
180.xx → my notebook IP
35.xx → LB IP
So basically GCP Loadbalancer Add LB IP in X-Forwarded-For after Client-IP.
And I also found the header host
is lowercase
I also found my endpoint is mixed between https://sso-lb.xxx.com and https://sso1.xxx.com.
{
"issuer": "https://sso1.xxx.com/realms/master",
"authorization_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/auth",
"token_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token",
"introspection_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/certs",
"check_session_iframe": "https://sso1.xxx.com/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:openid:params:grant-type:ciba"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"request_object_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt"
],
"registration_endpoint": "https://ssolb.xxx.com/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"authorization_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": true,
"scopes_supported": [
"openid",
"offline_access",
"roles",
"email",
"profile",
"address",
"web-origins",
"microprofile-jwt",
"phone"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": [
"poll",
"ping"
],
"backchannel_authentication_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/ciba/auth",
"backchannel_authentication_request_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_pushed_authorization_requests": false,
"pushed_authorization_request_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/par/request",
"mtls_endpoint_aliases": {
"token_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token",
"revocation_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/revoke",
"introspection_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/token/introspect",
"device_authorization_endpoint": "https://sso1.xxx.com/realms/master/protocol/openid-connect/auth/device",
"registration_endpoint": "https://ssolb.xxx.com/realms/master/clients-registrations/openid-connect",
"userinfo_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/userinfo",
"pushed_authorization_request_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/par/request",
"backchannel_authentication_endpoint": "https://ssolb.xxx.com/realms/master/protocol/openid-connect/ext/ciba/auth"
}
}
- Does Keycloak support
host
header in lower case? - Does Keycloak OK with additional ip adresss (LB IP) in X-Forwarded-For? GCP seems have to append LB IP in X-Fowarded-For and I couldn’t delete it
- Any hint for this Cookies not found? Very appreciate, because it already takes a week troubleshooting