KC_RESTART cookie doesn't exist (Keycloak on JDK behind Apache Proxy)

Hi,

I’m testing Keycloak as an IDP for MS365 (Azure AD).
ArueAD login form > keycloak login form correctly works.
But when I enter ID/PW in the keycloak form, it throws the cookie not found error.

[Keycloak Log]
2022-07-11 14:10:50,676 DEBUG [io.netty.handler.ssl.SslHandler] (vert.x-eventloop-thread-5) [id: 0x196e3ef2, L:/#KEYCLOAK_IP:443 - R:/#CLIENT_IP:61203] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2022-07-11 14:10:50,687 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-54) new JtaTransactionWrapper
2022-07-11 14:10:50,687 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-54) was existing? false
2022-07-11 14:10:50,688 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-54) Recalculated absoluteURI to https://#KEYCLOAK_DOMAIN/realms/#KEYCLOAK_REALM/login-actions/authenticate?session_code=d2Co2Y1V3T2oD7JcHLhpnnSY8eqwpPmE3lGV_6DpozU&execution=c15613fd-7070-448f-b8c5-f7adc75b6d4a&client_id=urn%3Afederation%3AMicrosoftOnline&tab_id=HboSgW1CvmM
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-54) Will use client ‘urn:federation:MicrosoftOnline’ in back-to-application link
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-54) Could not find any cookies with name {0}, trying {1}
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-54) Not found AUTH_SESSION_ID cookie
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-54) Could not find any cookies with name {0}, trying {1}
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-54) Not found AUTH_SESSION_ID cookie
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-54) Could not find any cookies with name {0}, trying {1}
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-54) Not found AUTH_SESSION_ID cookie
2022-07-11 14:10:50,688 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-54) Authentication session not found. Trying to restart from cookie.
2022-07-11 14:10:50,688 DEBUG [org.keycloak.protocol.RestartLoginCookie] (executor-thread-54) KC_RESTART cookie doesn’t exist
2022-07-11 14:10:50,689 DEBUG [freemarker.cache] (executor-thread-54) Couldn’t find template in cache for “template.ftl”(“en_US”, UTF-8, parsed); will try to load it.
2022-07-11 14:10:50,689 DEBUG [freemarker.cache] (executor-thread-54) TemplateLoader.findTemplateSource(“template_en_US.ftl”): Not found
2022-07-11 14:10:50,689 DEBUG [freemarker.cache] (executor-thread-54) TemplateLoader.findTemplateSource(“template_en.ftl”): Not found
2022-07-11 14:10:50,689 DEBUG [freemarker.cache] (executor-thread-54) TemplateLoader.findTemplateSource(“template.ftl”): Found
2022-07-11 14:10:50,689 DEBUG [freemarker.cache] (executor-thread-54) Loading template for “template.ftl”(“en_US”, UTF-8, parsed) from “jar:file:#PATH/lib/lib/main/org.keycloak.keycloak-themes-18.0.1.jar!/theme/base/login/template.ftl”
2022-07-11 14:10:50,693 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-54) JtaTransactionWrapper commit
2022-07-11 14:10:50,693 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-54) JtaTransactionWrapper end
2022-07-11 14:10:50,693 WARN [org.keycloak.events] (executor-thread-54) type=LOGIN_ERROR, realmId=#KEYCLOAK_REALM, clientId=null, userId=null, ipAddress=#CLIENT_IP, error=cookie_not_found

Below are the settings.
What should I change or add from here?


# Keycloak Server (18.0.1, JDK) #

[Client Setting]
Client ID : urn:federation:MicrosoftOnline
Enabled : ON
Login Theme : keycloak
Client Protocol : saml
Sign Documents : ON
Sign Assertions : ON
Signature Algorithm : RSA_SHA1
SAML Signature Key Name : KEY_ID
Canonicalization Method : EXCLUSIVE
Force POST Binding : ON
Front Channel Logout : ON
Name ID Format : email
Valid Redirect URIs : https:/ /login.microsoftonline.com/login.srf
Assertion Consumer Service POST Binding URL : https:/ /login.microsoftonline.com/login.srf
Logout Service POST Binding URL : https:/ /login.microsoftonline.com/login.srf
Browser Flow : Flow only w/ username-password-form
Other Settings : NULL / OFF

I also set NameID(ImmutableID) and IDPEMail(userPrincipalName) Mappers for both the client and the user federation.

[keycloak.conf]
https-certificate-file=…cert.pem
https-certificate-key-file=…key.pem
proxy=passthrough
proxy_address_forwarding=true
hostname=#KEYCLOAK_DOMAIN
http-port=80
https-port=443
https-protocols=TLSv1.3,TLSv1.2
http-enabled=true
hostname-strict=false
hostname-strict-https=false


# Proxy Server (Apache) #

[modjk.conf]
<VirtualHost #PROXY_IP:443>
DocumentRoot “…”
ServerName #PROXY_DOMAIN
< Directory “…” >
< Limit OPTIONS PROPFIND >
Order allow,deny
Allow from all
< /Limit >
< LimitExcept GET POST >
Order deny,allow
Deny from all
< /LimitExcept >
Header set Access-Control-Allow-Origin “*”
AllowOverride None
Require all granted
< /Directory >
SSLEngine on
SSLCertificateFile “…cert.pem”
SSLCertificateKeyFile “…key.pem”
SSLCertificateChainFile “…Bundle.crt”
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On # Includes -Host, -Server, -For
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-Port “443”
ProxyPass /realms https://#KEYCLOAK_DOMAIN/realms
ProxyPassReverse /realms https://#KEYCLOAK_DOMAIN/realms
ProxyPass /abc https://#TEST_DOMAIN/abc
ProxyPassReverse /abc https://#TEST_DOMAIN/abc


# TEST Server #
I tried the following to check if I can get X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host correctly.
(Using a reverse proxy - Keycloak says I need to set them for the header for reverse proxy)
It seems to be working fine that I think I should change the client setting…
Or do I need to add more on the header?

[JAVA TEST]
String ip = request.getHeader(“X-Forwarded-For”);
// X-FORWARDED-FOR : #CLIENT_IP
ip = request.getHeader(“Proxy-Client-IP”);
// Proxy-Client-IP : null
ip = request.getHeader(“WL-Proxy-Client-IP”);
// WL-Proxy-Client-IP : null
ip = request.getHeader(“HTTP_CLIENT_IP”);
// HTTP_CLIENT_IP : null
ip = request.getHeader(“HTTP_X_FORWARDED_FOR”);
// HTTP_X_FORWARDED_FOR : null
ip = request.getRemoteAddr();
// HTTP_X_FORWARDED_FOR : #PROXY_IP
String proto = (String) request.getHeader(“x-forwarded-proto”);
// proto : https
String host = (String) request.getHeader(“x-forwarded-host”);
// host : #PROXY_DOMAIN
String server = (String) request.getHeader(“x-forwarded-server”);
// server : #PROXY_DOMAIN
String port = (String) request.getHeader(“x-forwarded-port”);
// port : 443

I changed the proxy server setting like below, but still not working.
Should I uncomment the ssl part?

[Apache Proxy]
#Other Proxy
<Location /abc>
ProxyPass https://OTHER.com/abc/
ProxyPassReverse https://OTHER.com/abc/
< /Location>
#SSO Proxy
<Location /realms>
ProxyPreserveHost On # Includes -Host, -Server, -For
#RequestHeader set x-ssl-client-cert “%{SSL_CLIENT_CERT}s”
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-Port “443”
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
ProxyPass https://KEYCLOAK.com/realms
ProxyPassReverse https://KEYCLOAKcom/realms
< /Location>
<Location /resources>
ProxyPreserveHost On # Includes -Host, -Server, -For
#RequestHeader set x-ssl-client-cert “%{SSL_CLIENT_CERT}s”
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-Port “443”
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
ProxyPass https://KEYCLOAK.com/resources
ProxyPassReverse https://KEYCLOAKcom/resources
< /Location>


Reading the log, I found out that the first time it uses #PROXY_DOMAIN
but then uses #KEYCLOAK_DOMAIN after the username-password-form.
Would this be the one causing the problem?
How can I make it to keep use the #PROXY_DOMAIN?

[Keycloak Log] Azure Ad > Keycloak
2022-07-12 10:01:52,412 DEBUG [io.netty.handler.ssl.SslHandler] (vert.x-eventloop-thread-1) [id: 0xebaf0c22, L:/#KEYCLOAK_IP:443 - R:/#PROXY_IP:53064] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_256_GCM_SHA384
2022-07-12 10:01:52,413 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) new JtaTransactionWrapper
2022-07-12 10:01:52,413 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) was existing? false
2022-07-12 10:01:52,414 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-0) Recalculated absoluteURI to https://#PROXY_DOMAIN/realms/#KEYCLOAK_REALM/protocol/saml
2022-07-12 10:01:52,415 DEBUG [org.keycloak.protocol.saml.SamlService] (executor-thread-0) SAML POST
2022-07-12 10:01:52,415 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-0) SAML POST Binding
2022-07-12 10:01:52,415 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-0) <samlp:AuthnRequest ID=“_7860aeee-64da-4fba-9e4c-2f9e3fa9faf9” Version=“2.0” IssueInstant=“2022-07-12T01:01:52.140Z” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>urn:federation:MicrosoftOnline<samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:persistent”/></samlp:AuthnRequest>
2022-07-12 10:01:52,416 DEBUG [org.keycloak.protocol.saml.SamlService] (executor-thread-0) ** login request
2022-07-12 10:01:52,416 DEBUG [org.keycloak.protocol.saml.SamlService] (executor-thread-0) verified request
2022-07-12 10:01:52,416 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-0) Could not find any cookies with name {0}, trying {1}
2022-07-12 10:01:52,416 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-0) Not found AUTH_SESSION_ID cookie
2022-07-12 10:01:52,416 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-0) Could not find any cookies with name {0}, trying {1}
2022-07-12 10:01:52,416 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-0) Not found AUTH_SESSION_ID cookie
2022-07-12 10:01:52,416 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-0) Set AUTH_SESSION_ID cookie with value 4da155db-bf9b-432b-9d45-bd9a545dfcbd.aessowwd01-43592
2022-07-12 10:01:52,417 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (executor-thread-0) Sent request to authz endpoint. Created new root authentication session with ID ‘4da155db-bf9b-432b-9d45-bd9a545dfcbd’ . Client: urn:federation:MicrosoftOnline . New authentication session tab ID: bSwwpu8R6qQ
2022-07-12 10:01:52,417 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-0) Redirecting to URL: https://#KEYCLOAK_DOMAIN/realms/#KEYCLOAK_REALM/login-actions/authenticate?client_id=urn%3Afederation%3AMicrosoftOnline&tab_id=bSwwpu8R6qQ
2022-07-12 10:01:52,417 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper commit
2022-07-12 10:01:52,417 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper end
2022-07-12 10:01:52,480 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) new JtaTransactionWrapper
2022-07-12 10:01:52,480 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) was existing? false
2022-07-12 10:01:52,481 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-0) Recalculated absoluteURI to https://#PROXY_DOMAIN/realms/#KEYCLOAK_REALM/login-actions/authenticate?client_id=urn%3Afederation%3AMicrosoftOnline&tab_id=bSwwpu8R6qQ
2022-07-12 10:01:52,482 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-0) Will use client ‘urn:federation:MicrosoftOnline’ in back-to-application link
2022-07-12 10:01:52,482 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-0) AUTH_SESSION_ID cookie found in the request header
2022-07-12 10:01:52,482 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-0) AUTH_SESSION_ID cookie found in the cookie field
2022-07-12 10:01:52,482 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-0) Found AUTH_SESSION_ID cookie with value 4da155db-bf9b-432b-9d45-bd9a545dfcbd.aessowwd01-43592
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-0) AUTHENTICATE
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-0) AUTHENTICATE ONLY
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) processFlow: Client1 Form - Pass MFA
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) check execution: ‘Client1 Form - Pass MFA Client1 Form 1st Auth flow’, requirement: ‘REQUIRED’
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) processFlow: Client1 Form - Pass MFA Client1 Form 1st Auth
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) check execution: ‘auth-username-password-form’, requirement: ‘REQUIRED’
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) authenticator: auth-username-password-form
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-0) Going through the flow ‘Client1 Form - Pass MFA’ for adding executions
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-0) Going through the flow ‘Client1 Form - Pass MFA Client1 Form 1st Auth’ for adding executions
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-0) Selections when trying execution ‘auth-username-password-form’ : [ authSelection - auth-username-password-form]
2022-07-12 10:01:52,482 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) invoke authenticator.authenticate: auth-username-password-form
2022-07-12 10:01:52,482 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) new JtaTransactionWrapper
2022-07-12 10:01:52,482 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) was existing? true
2022-07-12 10:01:52,483 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper commit
2022-07-12 10:01:52,483 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper end
2022-07-12 10:01:52,483 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper resuming suspended
2022-07-12 10:01:52,483 DEBUG [freemarker.cache] (executor-thread-0) Couldn’t find template in cache for “template.ftl”(“en_US”, UTF-8, parsed); will try to load it.
2022-07-12 10:01:52,484 DEBUG [freemarker.cache] (executor-thread-0) TemplateLoader.findTemplateSource(“template_en_US.ftl”): Not found
2022-07-12 10:01:52,484 DEBUG [freemarker.cache] (executor-thread-0) TemplateLoader.findTemplateSource(“template_en.ftl”): Not found
2022-07-12 10:01:52,484 DEBUG [freemarker.cache] (executor-thread-0) TemplateLoader.findTemplateSource(“template.ftl”): Found
2022-07-12 10:01:52,484 DEBUG [freemarker.cache] (executor-thread-0) Loading template for “template.ftl”(“en_US”, UTF-8, parsed) from “jar:file:#PATH/keycloak-18.0.1/lib/lib/main/org.keycloak.keycloak-themes-18.0.1.jar!/theme/base/login/template.ftl”
2022-07-12 10:01:52,491 DEBUG [freemarker.beans] (executor-thread-0) Key “selectedCredential” was not found on instance of org.keycloak.forms.login.freemarker.model.AuthenticationContextBean. Introspection information for the class is: {getClass=public final native java.lang.Class java.lang.Object.getClass(), getAuthenticationSelections=public java.util.List org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.getAuthenticationSelections(), showResetCredentials=public boolean org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.showResetCredentials(), authenticationSelections=freemarker.ext.beans.FastPropertyDescriptor@6692a223, java.lang.Object@2c5a9c68={public java.lang.String java.lang.Object.toString()=[Ljava.lang.Class;@ 49eb74, public java.lang.String org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.getAttemptedUsername()=[Ljava.lang.Class;@ 69a749cb, public boolean org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.showTryAnotherWayLink()=[Ljava.lang.Class;@ 709dd98d, public boolean org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.showResetCredentials()=[Ljava.lang.Class;@ 36dfe07, public java.util.List org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.getAuthenticationSelections()=[Ljava.lang.Class;@ 4cb0b755, public final native java.lang.Class java.lang.Object.getClass()=[Ljava.lang.Class;@ 1f8a4619, public native int java.lang.Object.hashCode()=[Ljava.lang.Class;@ 1c5b5d4, public boolean org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.showUsername()=[Ljava.lang.Class;@ 6db4fe2d, public boolean java.lang.Object.equals(java.lang.Object)=[Ljava.lang.Class;@ 2477e6d1}, showUsername=public boolean org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.showUsername(), hashCode=public native int java.lang.Object.hashCode(), equals=public boolean java.lang.Object.equals(java.lang.Object), toString=public java.lang.String java.lang.Object.toString(), showTryAnotherWayLink=public boolean org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.showTryAnotherWayLink(), attemptedUsername=freemarker.ext.beans.FastPropertyDescriptor@6900c6c8, class=freemarker.ext.beans.FastPropertyDescriptor@45c7b529, getAttemptedUsername=public java.lang.String org.keycloak.forms.login.freemarker.model.AuthenticationContextBean.getAttemptedUsername(), java.lang.Object@70787a27=freemarker.ext.beans.SimpleMethod@f487e2a}
2022-07-12 10:01:52,491 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper commit
2022-07-12 10:01:52,491 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper end
2022-07-12 10:01:52,539 DEBUG [io.netty.handler.ssl.SslHandler] (vert.x-eventloop-thread-3) [id: 0x55a478f6, L:/#KEYCLOAK_IP:443 - R:/#PROXY_IP:53066] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_256_GCM_SHA384
2022-07-12 10:01:52,540 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) new JtaTransactionWrapper
2022-07-12 10:01:52,540 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) was existing? false
2022-07-12 10:01:52,540 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-0) Recalculated absoluteURI to https://#PROXY_DOMAIN/resources/gqsk6/common/keycloak/web_modules/@ patternfly/react-core/dist/styles/base.css
2022-07-12 10:01:52,541 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper commit
2022-07-12 10:01:52,541 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper end
…(ALL /resources stuff)

[Keycloak Log] After 1st Auth(username-password-form)
2022-07-12 10:02:11,147 DEBUG [io.netty.handler.ssl.SslHandler] (vert.x-eventloop-thread-5) [id: 0x893c20f6, L:/#KEYCLOAK_IP:443 - R:/#CLIENT_IP:50536] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2022-07-12 10:02:11,160 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) new JtaTransactionWrapper
2022-07-12 10:02:11,160 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) was existing? false
2022-07-12 10:02:11,160 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-5) Recalculated absoluteURI to https://#KEYCLOAK_DOMAIN/realms/#KEYCLOAK_REALM/login-actions/authenticate?session_code=nLX8PxN_oib96Fd0bU8DrW4ZGoTQaWleWG1H3-Uic38&execution=c15613fd-7070-448f-b8c5-f7adc75b6d4a&client_id=urn%3Afederation%3AMicrosoftOnline&tab_id=bSwwpu8R6qQ
2022-07-12 10:02:11,161 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-5) Will use client ‘urn:federation:MicrosoftOnline’ in back-to-application link
2022-07-12 10:02:11,162 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-5) Could not find any cookies with name {0}, trying {1}
2022-07-12 10:02:11,162 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-5) Not found AUTH_SESSION_ID cookie
2022-07-12 10:02:11,162 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-5) Could not find any cookies with name {0}, trying {1}
2022-07-12 10:02:11,162 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-5) Not found AUTH_SESSION_ID cookie
2022-07-12 10:02:11,162 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-5) Could not find any cookies with name {0}, trying {1}
2022-07-12 10:02:11,162 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-5) Not found AUTH_SESSION_ID cookie
2022-07-12 10:02:11,162 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-5) Authentication session not found. Trying to restart from cookie.
2022-07-12 10:02:11,162 DEBUG [org.keycloak.protocol.RestartLoginCookie] (executor-thread-5) KC_RESTART cookie doesn’t exist
2022-07-12 10:02:11,163 DEBUG [freemarker.cache] (executor-thread-5) Couldn’t find template in cache for “template.ftl”(“en_US”, UTF-8, parsed); will try to load it.
2022-07-12 10:02:11,163 DEBUG [freemarker.cache] (executor-thread-5) TemplateLoader.findTemplateSource(“template_en_US.ftl”): Not found
2022-07-12 10:02:11,163 DEBUG [freemarker.cache] (executor-thread-5) TemplateLoader.findTemplateSource(“template_en.ftl”): Not found
2022-07-12 10:02:11,163 DEBUG [freemarker.cache] (executor-thread-5) TemplateLoader.findTemplateSource(“template.ftl”): Found
2022-07-12 10:02:11,163 DEBUG [freemarker.cache] (executor-thread-5) Loading template for “template.ftl”(“en_US”, UTF-8, parsed) from “jar:file:#PATH/keycloak-18.0.1/lib/lib/main/org.keycloak.keycloak-themes-18.0.1.jar!/theme/base/login/template.ftl”
2022-07-12 10:02:11,168 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) JtaTransactionWrapper commit
2022-07-12 10:02:11,168 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) JtaTransactionWrapper end
2022-07-12 10:02:11,168 WARN [org.keycloak.events] (executor-thread-5) type=LOGIN_ERROR, realmId=#KEYCLOAK_REALM, clientId=null, userId=null, ipAddress=#CLIENT_IP, error=cookie_not_found
2022-07-12 10:02:11,197 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) new JtaTransactionWrapper
2022-07-12 10:02:11,197 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) was existing? false
2022-07-12 10:02:11,197 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-5) Recalculated absoluteURI to https://#KEYCLOAK_DOMAIN/resources/gqsk6/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.min.css
2022-07-12 10:02:11,198 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) JtaTransactionWrapper commit
2022-07-12 10:02:11,198 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-5) JtaTransactionWrapper end
2022-07-12 10:02:11,197 DEBUG [io.quarkus.resteasy] (vert.x-eventloop-thread-5) IO Exception : io.vertx.core.http.StreamResetException: Stream reset: 8
2022-07-12 10:02:11,199 DEBUG [io.quarkus.resteasy] (vert.x-eventloop-thread-5) IO Exception : io.vertx.core.VertxException: Connection was closed

I added below in the proxy

<Location /MS>
ProxyPreserveHost On # Includes -Host, -Server, -For
#RequestHeader set x-ssl-client-cert “%{SSL_CLIENT_CERT}s”
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-Port “443”
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
ProxyPass https://login. microsoftonline.com/login.srf
ProxyPassReverse https://login. microsoftonline.com/login.srf
< /Location>

And changed Valid Redirect URIs, Assertion Consumer Service POST Binding URL, Logout Service POST Binding URL (everywhere it had the MS url) to https://PROXY.com/MS

But it still seems to be connecting directly to the client (+redirection to KEYCLOAK_DOMAIN instead of PROXY_DOMAIN)

[Keycloak Log] After username-password-form
2022-07-12 12:47:15,943 DEBUG [io.netty.handler.ssl.SslHandler] (vert.x-eventloop-thread-7) [id: 0x5341fcab, L:/#KEYCLOAK_IP:443 - R:/#CLIENT_IP:53767] HANDSHAKEN: protocol:TLSv1.2 cipher suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2022-07-12 12:47:15,955 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-14) new JtaTransactionWrapper
2022-07-12 12:47:15,955 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-14) was existing? false
2022-07-12 12:47:15,955 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-14) Recalculated absoluteURI to https://#KEYCLOAK_DOMAIN/realms/#KEYCLOAK_REALM/login-actions/authenticate?session_code=rjbRZjigEeBXobvJQlFo3qsxwsadDHzzCtSBzj889ic&execution=c15613fd-7070-448f-b8c5-f7adc75b6d4a&client_id=urn%3Afederation%3AMicrosoftOnline&tab_id=8u6JNZhTxh0

How username-password-form exactly works?
Can I modify it not to check for cookie? (Does it check for the cookie in the code?)
Or can I set the “Recalculated absoluteURI” to use #PROXY_DOMAIN instead of #KEYCLOAK_DOMAIN?
I know how to customize the css of the ftl page, but not sure how to change the code behind.

I even tried stickysession=AUTH_SESSION_ID for the apache proxy, but it’s still not working.
Setting ProxyPassReverseCookie(Path and Domain) also did not work.

  1. #PROXY_DOMAIN is used for showing the username-password-form (1st execution)
  2. #KEYCLOAK_DOMAIN is used after the 1st execution
    • keeps loking for AUTH_SESSION_ID cookie
    • Whether it finds of cannot find the cookie, it throws “KC_RESTART cookie doesn’t exist” error.

What else can I try?