I have a Keycloak instance running behind an Apache reverse proxy server. The reverse proxy manages HTTPS traffic to the Keycloak server and other web apps hosted by our organisation. I have followed the docs and have verified the two major points specified:
- Client IP address is being forwarded correctly (verified by checking log in attempts in the logs)
- Host name is being preserved as the JSON list of URLs are all correct (https and correctly references the reverse proxy domain).
When I log in to the master realm with an admin account, there is an endless redirect loop happening, which seems to follow this pattern:
- Initial successful GET to /auth/admin/master/console/
- Loading of resources, all successful
- Successful POST request to /auth/realms/master/protocol/openid-connect/token
- Successful GET of html
- Redirect request to /auth/realms/master/protocol/openid-connect/login-status-iframe.html/init
- Successful redirect response to /auth/admin/master/console/#/
- Successful GET request to /auth/admin/master/console/ (Step 1)
All the steps are then repeated again.
I noticed that the Keycloak logs are spammed with the following line on each iteration of the loop:
16:14:43,994 WARN [org.keycloak.events] (default task-2) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=xxx, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
I’ve looked around at people having a similar issue, but their solution was usually either a header not being correctly set or proxy forwarding not being set on the Keycloak server - both of which I have confirmed are set correctly.
Any help would be greatly appreciated.