The account console presents "Failed to initialize keycloak" init request returns 403

Running 12.0.4 on eks cluster behind kong ingress. It actually works fine on docker, so it seems to be an ingress issue, i just don’t understand how :frowning:

When i request https://<domain>/auth/realms/test-realm/account/ i get a popup “Failed to initialize keycloak”

failed-to-initialize-keycloak

Looking at the network bar in firefox, this request is returning 403
https://<domain>/auth/realms/test-realm/protocol/openid-connect/login-status-iframe.html/init?client_id=account-console&origin=https://<domain>

I compared this against running the docker container (12.0.4) and this endpoint displays the account console page and DOESN’T require any login, so the 403 here is odd, since user-authentication isnt required.

I am also running keycloak with debug logging, but there isn’t anything useful coming from the logs.

Anyone else experiencing this?

2 Likes

Ok, the issue is with the web-origins. I believe something about the ingress and internal configurations must not be in sync because if I allow all web origins it works.

This setting is in the clients section of each realm. For my problem, this was in the “accounts-console” client:

It would be lovely to add some debug logs about this. It required a code-dive to figure this out… I might try to submit a PR for it, or at least get one of the devs to add it in. The code where this is checked is here: keycloak/LoginStatusIframeEndpoint.java at f9d4f3c7c29dff4dec06b88d8acfa07a5356669f · keycloak/keycloak · GitHub

10 Likes

Life saver. For the life of me couldn’t figure it out. The DEBUG logs didn’t provide a guidance. Thank you.

3 Likes

It works for me. Thanks!! @bclouser

Note: Please make sure to update the account-console client in master realm, if you have other realms exist.

1 Like

I am new to keycloak and struggling with the same ““failed to initatilize keycloak” issue as others. But the workaround described here (” update the account-console client in master realm") fails in my case. It is not possible to edit account-console settings on the master realm, as even this link is replied with “https://login.netzwissen.de/admin/master/console/#/notfound” (404).

My setup:

  • keycloak 18.0.0. quarkus, single instance on ubuntu 20.04 lxc container
  • haproxy as a central ssl accelerator forwards the requests to java/keycloak on p. 8080
  • config with proxy=edge

Is there any other way to fix this issue? As far as I understand from different readings, the root cause of the issue is not really solved yet… - is this correct? If I can help debugging this, let me know …

We’re facing this issue too, did you find anything?

In the meantime I upgraded to keycloak 19. The solution was simply a permission change - originally all was root:root. I now use the following setup, as the keycloak JRE is started with User=keycloak from systemd.

drwxr-xr-x 3 keycloak root  4096 Jul 29 11:07 bin
drwxr-xr-x 2 keycloak root  4096 Aug 26 11:02 conf
drwxr-xr-x 4 keycloak root  4096 Aug 26 10:09 data
drwxr-xr-x 5 keycloak root  4096 Jul 29 11:07 lib
drwxr-xr-x 2 keycloak root  4096 Aug 26 16:07 providers
drwxr-xr-x 3 keycloak root  4096 Aug 27 11:50 themes

And for /data/tmp

drwxr-xr-x 3 keycloak keycloak 4096 Aug 26 10:09 tmp

call it “intuition” or “ingenuity” - whatsoever :sunglasses:
In my daily devops job, I work with java application servers and we had such issues already …