Hi guys; I’ve got an app running behind a Keycloak deployment (lightly customized Docker image running in AWS ECS) operating with login.gov’s developer authentication. We had this working in the past with Keycloak 15.0.2; we’re now up to 21.1.1. Things look good, for the most part, except…
I’m running into a very odd and frustrating problem. I can visit the site, I am forwarded to login.gov, I log in, and get on… in a regular Google Chrome browser window. However, if I open an Incognito window, I receive a vague error message from the app. This is the result of an error 400 caused by the prior response.
It seems as if the application is returning either a 302 or 303 upon login. If a 303 is returned, the attempt is unsuccessful and followed by a 400. If a 302 is returned, the attempt is successful and I am logged in to the site. This seems to be happening with the “auth?response_type” immediately prior to the error 400.
Interestingly, Microsoft Edge works in either regular or private mode. Apple’s Safari browser fails no matter what, as does Firefox.
I am looking at the Chrome Developer Tools, at the Network tab. I have examples of both the successful login and the failed login. The “Request URL” seems to be the about the same in both examples. The “Request Method” for both examples is “GET”. However, the status code for one is 302, and the other is 303. The Response Headers are significantly different. For the successful 302 attempt, the “Location” value is an address of the application, and multiple “Set-Cookie” values are present with such strings as “KC_RESTART” and “KEYCLOAK_IDENTITY” and the like. In the unsuccessful attempt that returns 303, the “Location” value in Response Headers is an address for the Keycloak server, and the “Set-Cookie” values are also different–there are “AUTH_SESSION” strings and only a single “KC_RESTART” cookie.
Any ideas what might be happening here? Thanks in advance for any ideas–please feel free to ask for clarification if I’ve failed to explain something correctly or clearly!