Update 8.0.1 -> 9.0.0 unable to login to administration console (PKCE problem)

tiago.diogo · February 27, 2020, 2:58pm

hello all,

i recently migrated from 8.0.1 to 9.0.0
all went well on my local environment but things gone wrong on production.

i’m currently unable to login into the administration console
the log presents the following problem:

14:45:55,987 INFO [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-9) PKCE enforced Client without code challenge method.

27/02/2020 14:45:55 14:45:55,987 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=xxx.xxx.x.xxx, error=invalid_request, response_type=code, redirect_uri=https://xxxxxxx/auth/admin/master/console/, response_mode=fragment

If i compare the auth url from my local environment and the url from production the fact is that the “code_challenge” and “code_challenge_method” query params are missing.

How can i restore login?

Thank you for your support

ldmi3i · February 28, 2020, 7:01pm

Hi!
I faced with the same behavior, and when I rollback to 8.0.2 version - error was the same.
But I have only test stand and clean all was an option.
So I resolved it by full cleaning of docker containers and data (i’m not good deal with docker and for me it taked two attempts).

I can add that this problem not only with admin console, but with every login too.

And after cleaning all I restored version 8.0.2 and it worked fine. And after pulling 9.0.0 version all worked fine again. So it looks like the cause is in some settings that was done while using keycloak 8.0.2.

RefinedMe · March 2, 2020, 4:33am

I encountered the same problem, did you solve it?

RefinedMe · March 2, 2020, 5:47am

I can log in when I open it with an incognito browser or another new browser

mposolda · March 2, 2020, 10:46am

Hi,

could you please create JIRA for this issue? Looks like browser cache
problem, which we can hopefully fix on Keycloak side.

Thanks,
Marek

tiago.diogo · March 2, 2020, 3:10pm

hello,

in my case clearing browser cache / incognito browser window did not work.
i assume either something during migration went wrong or a specific combination of my configuration caused problem on the new version.
either way, my fix was to remove a line from database.
table: client_attributes
row with:
value S256
name: pkce.code.challenge.method

after removing this line i was able to login again without any problem.
i am yet to know the implications of removing this configuration…

Tiago

P3RF3CTION · March 2, 2020, 5:38pm

Hey everybody,

I can confirm the error from my side.
Private Browser Session and clearing the Cache does definitely not help in any way.

I didn’t found any fix anywhere.

Looking forward to receive a final solution

mposolda · March 3, 2020, 12:08pm

Thanks guys. I’ve created JIRA
to investigate
this.

Which browser do you guys have btv?

Thanks,
Marek

tiago.diogo · March 3, 2020, 12:20pm

google chrome Version 80.0.3987.122

tiago.diogo · March 3, 2020, 12:26pm

link to the JIRA issue:
https://issues.redhat.com/browse/KEYCLOAK-13189

stianst · March 3, 2020, 12:34pm

Can you take a look at app.js to check if it’s including (look at index.html for the admin console to find the URL of it. It’ll be something like /auth/resources/lnz3u/admin/keycloak/js/app.js):

keycloakAuth.init({ onLoad: ‘login-required’, pkceMethod: ‘S256’ })

Seems somehow you are getting an old version of app.js loaded, which shouldn’t be possible. Unless you have an old and a new version of Keycloak running at the same time, or have some caching layer on top or something.

stianst · March 3, 2020, 12:41pm

BTW browser cache shouldn’t have anything to do with this issue. The index.html page of the admin console is not cached, and all resources it uses includes a string that is updated on a release.

So possible causes of this issue includes:

Old KC version still running with updated DB
Some separate caching layer (CDN) in front of KC
Copying old admin theme when upgrading

P3RF3CTION · March 3, 2020, 1:34pm

Tested with

Microsoft Edge
Version 82.0.432.3 (Official build) dev (64-bit)

|Microsoft Edge|82.0.432.3 (Official build) dev (64-bit)|
|Revision|d9a38a8bed9deea76480b6486b16e9980a207515|
|Operating system|Windows 10 OS Version 1909 (Build 18363.693)|
|JavaScript|V8 8.2.56|
|User agent|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4056.0 Safari/537.36 Edg/82.0.432.3|

Vivaldi 2.11.1811.44 (Stable channel) (64-Bit)

|Windows 10 OS Version 1909 (Build 18363.693)|
|JavaScript|V8 8.0.426.25|
|Flash|(Deaktiviert)|
|User-Agent|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.125 Safari/537.36|

As I have control of the Proxy in front of Keycloak I have all caching Settings under my control and cleared everything already.

tiago.diogo · March 3, 2020, 1:57pm

hello stianst

this is the version of app.js being loaded into my browser regarding the init function

keycloakAuth.init({ onLoad: 'login-required' }).success(function () {
        auth.authz = keycloakAuth;

        if (auth.authz.idTokenParsed.locale) {
            locale = auth.authz.idTokenParsed.locale;
        }

        auth.refreshPermissions = function(success, error) {
            whoAmI(function(data) {
                auth.user = data;
                auth.loggedIn = true;
                auth.hasAnyAccess = hasAnyAccess(data);

                success();
            }, function() {
                error();
            });
        };

        loadResourceBundle(function(data) {
            resourceBundle = data;

            auth.refreshPermissions(function () {
                module.factory('Auth', function () {
                    return auth;
                });
                var injector = angular.bootstrap(document, ["keycloak"]);

                injector.get('$translate')('consoleTitle').then(function (consoleTitle) {
                    document.title = consoleTitle;
                });
            });
        });
    }).error(function () {
        window.location.reload();
    });

tiago.diogo · March 3, 2020, 1:59pm

about the version that is running:

INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 9.0.0 (WildFly Core 10.0.3.Final) started in 24932ms - Started 684 of 989 services (701 services are lazy, passive or on-demand)

P3RF3CTION · March 3, 2020, 4:47pm

I found a solutions for this it is related to either a file in your

standalone
themes

folder.
So i guess it is an old admin theme like @stianst already said.
I got my self a fresh copy of KC and unzipped the standalone and theme folder.
This solved it on my end.
@tiago.diogo

pahatz · March 23, 2020, 9:45am

Copying the /theme folder solved it for me too. But the structure of the theme must have changed because everything is broken. Do we need to do the theming from scratch for every new version?

pahatz · March 25, 2020, 7:35am

Instead of messing with the theme files, I found out that removing the volume and recreating it solved the problem too. No changes to the theme files were needed this way.

Topic		Replies	Views
Suddenly lost my ability to login to the console after upgrading to v21 Configuring the server admin-console , authentication , oidc	0	378	April 18, 2023
Loading the admin console spinning admin-console	9	17473	January 23, 2024
HTTP Error 403 after login on new install Configuring the server admin-console	4	1729	April 30, 2023
Admin console error: HTTPS required Getting advice admin-console , authentication	0	38	April 11, 2024
Failed to execute 'postmessage' on 'domwindow': The target origin provided ('http://abc.com') does not match the recipient window's origin ('https://abc.com). Suspecting this to be because of Iframe Getting advice admin-console , authentication , oidc	1	1573	April 18, 2023

Update 8.0.1 -> 9.0.0 unable to login to administration console (PKCE problem)

Related Topics