Redirect loop logging into Master realm behind Apache reverse proxy


I have a Keycloak instance running behind an Apache reverse proxy server. The reverse proxy manages HTTPS traffic to the Keycloak server and other web apps hosted by our organisation. I have followed the docs and have verified the two major points specified:

  1. Client IP address is being forwarded correctly (verified by checking log in attempts in the logs)
  2. Host name is being preserved as the JSON list of URLs are all correct (https and correctly references the reverse proxy domain).

When I log in to the master realm with an admin account, there is an endless redirect loop happening, which seems to follow this pattern:

  1. Initial successful GET to /auth/admin/master/console/
  2. Loading of resources, all successful
  3. Successful POST request to /auth/realms/master/protocol/openid-connect/token
  4. Successful GET of html
  5. Redirect request to /auth/realms/master/protocol/openid-connect/login-status-iframe.html/init
  6. Successful redirect response to /auth/admin/master/console/#/
  7. Successful GET request to /auth/admin/master/console/ (Step 1)

All the steps are then repeated again.

I noticed that the Keycloak logs are spammed with the following line on each iteration of the loop:

16:14:43,994 WARN [] (default task-2) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=xxx, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

I’ve looked around at people having a similar issue, but their solution was usually either a header not being correctly set or proxy forwarding not being set on the Keycloak server - both of which I have confirmed are set correctly.

Any help would be greatly appreciated.

1 Like

Did you find the problem? I am experiencing same issue and I can’t figure out why.

Hey, I resolved the issue by going going through the source and identifying that a Keycloak cookie was not being processed by some of the JavaScript code. It wasn’t obvious that this was the problem from any of the output logs.

It was happening because our proxy was setting “HttpOnly” on each cookie it processed. Adding a rule to stop this happening for all KEYCLOAK.* cookies fixed it for us.

Good luck!

That helped me! I still need to check couple things, before say it is over, but seems like it did the trick.

Thank you!