The account console presents "Failed to initialize keycloak" init request returns 403

1

Running 12.0.4 on eks cluster behind kong ingress. It actually works fine on docker, so it seems to be an ingress issue, i just don’t understand how :frowning:

When i request https://<domain>/auth/realms/test-realm/account/ i get a popup “Failed to initialize keycloak”

failed-to-initialize-keycloak

Looking at the network bar in firefox, this request is returning 403
https://<domain>/auth/realms/test-realm/protocol/openid-connect/login-status-iframe.html/init?client_id=account-console&origin=https://<domain>

I compared this against running the docker container (12.0.4) and this endpoint displays the account console page and DOESN’T require any login, so the 403 here is odd, since user-authentication isnt required.

I am also running keycloak with debug logging, but there isn’t anything useful coming from the logs.

Anyone else experiencing this?

2 Likes
2

Ok, the issue is with the web-origins. I believe something about the ingress and internal configurations must not be in sync because if I allow all web origins it works.

This setting is in the clients section of each realm. For my problem, this was in the “accounts-console” client:

add-web-origins-edit
add-web-origins-edit1404×1274 119 KB

It would be lovely to add some debug logs about this. It required a code-dive to figure this out… I might try to submit a PR for it, or at least get one of the devs to add it in. The code where this is checked is here: https://github.com/keycloak/keycloak/blob/f9d4f3c7c29dff4dec06b88d8acfa07a5356669f/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java#L62

5 Likes
3

Life saver. For the life of me couldn’t figure it out. The DEBUG logs didn’t provide a guidance. Thank you.

2 Likes
4

It works for me. Thanks!! @bclouser

Note: Please make sure to update the account-console client in master realm, if you have other realms exist.

5

I am new to keycloak and struggling with the same ““failed to initatilize keycloak” issue as others. But the workaround described here (” update the account-console client in master realm") fails in my case. It is not possible to edit account-console settings on the master realm, as even this link is replied with “https://login.netzwissen.de/admin/master/console/#/notfound” (404).

My setup:

  • keycloak 18.0.0. quarkus, single instance on ubuntu 20.04 lxc container
  • haproxy as a central ssl accelerator forwards the requests to java/keycloak on p. 8080
  • config with proxy=edge

Is there any other way to fix this issue? As far as I understand from different readings, the root cause of the issue is not really solved yet… - is this correct? If I can help debugging this, let me know …

6

We’re facing this issue too, did you find anything?

7

In the meantime I upgraded to keycloak 19. The solution was simply a permission change - originally all was root:root. I now use the following setup, as the keycloak JRE is started with User=keycloak from systemd.

drwxr-xr-x 3 keycloak root  4096 Jul 29 11:07 bin
drwxr-xr-x 2 keycloak root  4096 Aug 26 11:02 conf
drwxr-xr-x 4 keycloak root  4096 Aug 26 10:09 data
drwxr-xr-x 5 keycloak root  4096 Jul 29 11:07 lib
drwxr-xr-x 2 keycloak root  4096 Aug 26 16:07 providers
drwxr-xr-x 3 keycloak root  4096 Aug 27 11:50 themes

And for /data/tmp

drwxr-xr-x 3 keycloak keycloak 4096 Aug 26 10:09 tmp

9

call it “intuition” or “ingenuity” - whatsoever :sunglasses:
In my daily devops job, I work with java application servers and we had such issues already …