Browser-based flows not working properly due to 3rd party cookie policies on Firefox
See original GitHub issueDescribe the bug
I’d like to set up keycloak server so that the administration console is only available on localhost, behind a reverse proxy. When I try to access the administration console, after successfully entering admin credentials, the message “Loading the admin console” is displayed and the web page refreshes forever.
For your information, I’m using Firefox 104.0.2 with AdblockPlus (disabling it does not change anything).
I believe this is a bug since my test-case is very simple. Feel free to ask anything you need to solve the issue 😃
Version
19.0.2
Expected behavior
We should see the administration console page. And of course, Keycloak should not log any error.
Actual behavior
The administration console page loads forever.
On the client-side, a POST request to https://auth.example.com/realms/master/protocol/openid-connect/token fails with 400 Bad Request. On the server-side, the following is logged: WARN [org.keycloak.events] (executor-thread-0) type=REFRESH_TOKEN_ERROR, realmId=c886645d-192c-4e83-94c8-3d414df2311c, clientId=security-admin-console, userId=null, ipAddress=172.18.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
How to Reproduce?
I created a minimalist test case using docker-compose. You can then reproduce the issue going to http://localhost:8081/admin/ and logging in (login=‘admin’ password=‘mdp-admin’). Note: I replaced my actual domain name with example.com.
docker-compose.yml file:
version: "3"
services:
keycloak:
build:
context: ./conf/keycloak
dockerfile: Dockerfile-keycloak
expose:
- "443"
- "8080"
volumes:
- ./ssl/fullchain.pem:/opt/demo/keycloak/certs/auth.example.com.crt
- ./ssl/privkey.pem:/opt/demo/keycloak/certs/auth.example.com.key
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=mdp-admin
- KEYCLOAK_FRONTEND_HOSTNAME=auth.example.com
- KEYCLOAK_FRONTEND_PORT=443
- KEYCLOAK_ADMIN_URL=http://localhost:8081/
- KEYCLOAK_HTTPS_CERTIFICATE_FILENAME=auth.example.com.crt
- KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILENAME=auth.example.com.key
nginx:
image: nginx:latest
ports:
- "443:443"
- "8081:8081"
volumes:
- ./conf/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
- ./ssl/fullchain.pem:/etc/nginx/certs/auth.example.com.crt
- ./ssl/privkey.pem:/etc/nginx/certs/auth.example.com.key
- ./ssl/chain.pem:/etc/nginx/certs/chain.pem
- ./ssl/dhparam.pem:/etc/nginx/certs/dhparam.pem
Dockerfile-keycloak:
FROM quay.io/keycloak/keycloak:19.0.2
ENV KC_HEALTH_ENABLED=true
ENV KC_HTTPS_PORT=443
RUN /opt/keycloak/bin/kc.sh build
ADD . /opt/demo/keycloak/scripts/
WORKDIR /opt/keycloak
ENTRYPOINT [ "/opt/demo/keycloak/scripts/run.sh" ]
run.sh:
#!/usr/bin/env bash
/opt/keycloak/bin/kc.sh start \
--hostname="${KEYCLOAK_FRONTEND_HOSTNAME}" \
--hostname-admin-url=${KEYCLOAK_ADMIN_URL} \
--proxy=edge \
--https-certificate-file=/opt/demo/keycloak/certs/${KEYCLOAK_HTTPS_CERTIFICATE_FILENAME} \
--https-certificate-key-file=/opt/demo/keycloak/certs/${KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILENAME}
nginx.conf:
server
{
listen 443 ssl;
listen [::]:443 ssl;
server_name auth.example.com;
ssl_certificate /etc/nginx/certs/auth.example.com.crt;
ssl_certificate_key /etc/nginx/certs/auth.example.com.key;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/chain.pem;
# Only expose recommended paths according to documentation:
# https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations
location = / { return 403; }
location = /health { return 403; }
location = /metrics { return 403; }
location = /robots.txt { return 457; }
error_page 457 = @auth;
location /
{
location ^~ /admin/ { return 403; }
location ^~ /js/ { return 457; }
location ^~ /realms/ { return 457; }
location ^~ /resources/ { return 457; }
location ^~ /welcome/ { return 403; }
}
location @auth
{
internal;
# see /etc/resolv.conf
resolver 127.0.0.11;
proxy_pass https://keycloak;
proxy_ssl_server_name on;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_intercept_errors on;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_protocols TLSv1.3;
}
}
# http://localhost:8081/: keycloak
server
{
listen 8081;
listen [::]:8081;
location /
{
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 10.0.0.0/8;
deny all;
# see /etc/resolv.conf
resolver 127.0.0.11;
proxy_pass http://keycloak:8080/;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_intercept_errors on;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
}
}
Anything else?
No response
Issue Analytics
- State:
- Created a year ago
- Comments:14 (6 by maintainers)
Top GitHub Comments
I don’t think this is the same issue since this one only applies to Firefox. I tried changing
proxy=edge
toproxy=reencrypt
(andproxy_pass http://keycloak:8080/;
toproxy_pass https://keycloak/;
in localhost server block) and Firefox still failed to load the administration console until I disable “Enhanced Tracking Protection” feature onauth.example.com
domain.I would leave this one open but change the title to reflect the issue on FF.
I’m not sure yet how we can improve the server-side to workaround this constraint. Need to discuss this with the rest of the team.