The account console presents "Failed to initialize keycloak" init request returns 403

Running 12.0.4 on eks cluster behind kong ingress. It actually works fine on docker, so it seems to be an ingress issue, i just don’t understand how :frowning:

When i request https://<domain>/auth/realms/test-realm/account/ i get a popup “Failed to initialize keycloak”

failed-to-initialize-keycloak

Looking at the network bar in firefox, this request is returning 403
https://<domain>/auth/realms/test-realm/protocol/openid-connect/login-status-iframe.html/init?client_id=account-console&origin=https://<domain>

I compared this against running the docker container (12.0.4) and this endpoint displays the account console page and DOESN’T require any login, so the 403 here is odd, since user-authentication isnt required.

I am also running keycloak with debug logging, but there isn’t anything useful coming from the logs.

Anyone else experiencing this?

2 Likes

Ok, the issue is with the web-origins. I believe something about the ingress and internal configurations must not be in sync because if I allow all web origins it works.

This setting is in the clients section of each realm. For my problem, this was in the “accounts-console” client:

It would be lovely to add some debug logs about this. It required a code-dive to figure this out… I might try to submit a PR for it, or at least get one of the devs to add it in. The code where this is checked is here: keycloak/LoginStatusIframeEndpoint.java at f9d4f3c7c29dff4dec06b88d8acfa07a5356669f · keycloak/keycloak · GitHub

9 Likes

Life saver. For the life of me couldn’t figure it out. The DEBUG logs didn’t provide a guidance. Thank you.

3 Likes

It works for me. Thanks!! @bclouser

Note: Please make sure to update the account-console client in master realm, if you have other realms exist.

1 Like