Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Browser-based flows not working properly due to 3rd party cookie policies on Firefox

See original GitHub issue

Describe the bug

I’d like to set up keycloak server so that the administration console is only available on localhost, behind a reverse proxy. When I try to access the administration console, after successfully entering admin credentials, the message “Loading the admin console” is displayed and the web page refreshes forever.

For your information, I’m using Firefox 104.0.2 with AdblockPlus (disabling it does not change anything).

I believe this is a bug since my test-case is very simple. Feel free to ask anything you need to solve the issue 😃

Version

19.0.2

Expected behavior

We should see the administration console page. And of course, Keycloak should not log any error.

Actual behavior

The administration console page loads forever.

On the client-side, a POST request to https://auth.example.com/realms/master/protocol/openid-connect/token fails with 400 Bad Request. On the server-side, the following is logged: WARN [org.keycloak.events] (executor-thread-0) type=REFRESH_TOKEN_ERROR, realmId=c886645d-192c-4e83-94c8-3d414df2311c, clientId=security-admin-console, userId=null, ipAddress=172.18.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

How to Reproduce?

I created a minimalist test case using docker-compose. You can then reproduce the issue going to http://localhost:8081/admin/ and logging in (login=‘admin’ password=‘mdp-admin’). Note: I replaced my actual domain name with example.com.

docker-compose.yml file:

version: "3"

services:
  keycloak:
    build:
      context: ./conf/keycloak
      dockerfile: Dockerfile-keycloak
    expose:
      - "443"
      - "8080"
    volumes:
      - ./ssl/fullchain.pem:/opt/demo/keycloak/certs/auth.example.com.crt
      - ./ssl/privkey.pem:/opt/demo/keycloak/certs/auth.example.com.key
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=mdp-admin
      - KEYCLOAK_FRONTEND_HOSTNAME=auth.example.com
      - KEYCLOAK_FRONTEND_PORT=443
      - KEYCLOAK_ADMIN_URL=http://localhost:8081/
      - KEYCLOAK_HTTPS_CERTIFICATE_FILENAME=auth.example.com.crt
      - KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILENAME=auth.example.com.key
  nginx:
    image: nginx:latest
    ports:
      - "443:443"
      - "8081:8081"
    volumes:
      - ./conf/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
      - ./ssl/fullchain.pem:/etc/nginx/certs/auth.example.com.crt
      - ./ssl/privkey.pem:/etc/nginx/certs/auth.example.com.key
      - ./ssl/chain.pem:/etc/nginx/certs/chain.pem
      - ./ssl/dhparam.pem:/etc/nginx/certs/dhparam.pem

Dockerfile-keycloak:

FROM quay.io/keycloak/keycloak:19.0.2

ENV KC_HEALTH_ENABLED=true
ENV KC_HTTPS_PORT=443

RUN /opt/keycloak/bin/kc.sh build

ADD . /opt/demo/keycloak/scripts/

WORKDIR /opt/keycloak

ENTRYPOINT [ "/opt/demo/keycloak/scripts/run.sh" ]

run.sh:

#!/usr/bin/env bash

/opt/keycloak/bin/kc.sh start \
 --hostname="${KEYCLOAK_FRONTEND_HOSTNAME}" \
 --hostname-admin-url=${KEYCLOAK_ADMIN_URL} \
 --proxy=edge \
 --https-certificate-file=/opt/demo/keycloak/certs/${KEYCLOAK_HTTPS_CERTIFICATE_FILENAME} \
 --https-certificate-key-file=/opt/demo/keycloak/certs/${KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILENAME}

nginx.conf:

server
{
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name auth.example.com;

  ssl_certificate /etc/nginx/certs/auth.example.com.crt;
  ssl_certificate_key /etc/nginx/certs/auth.example.com.key;
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/certs/dhparam.pem; 
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1;
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/nginx/certs/chain.pem;

  # Only expose recommended paths according to documentation:
  # https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations

  location = / { return 403; }
  location = /health { return 403; }
  location = /metrics { return 403; }
  location = /robots.txt { return 457; }

  error_page 457 = @auth;

  location /
  {
    location ^~ /admin/ { return 403; }
    location ^~ /js/ { return 457; }
    location ^~ /realms/ { return 457; }
    location ^~ /resources/ { return 457; }
    location ^~ /welcome/ { return 403; }
  }

  location @auth
  {
    internal;

    # see /etc/resolv.conf
    resolver 127.0.0.11;
    proxy_pass https://keycloak;

    proxy_ssl_server_name on;

    proxy_set_header Host              $http_host;
    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        "upgrade";
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

    proxy_intercept_errors on;
    proxy_http_version 1.1;
    proxy_cache_bypass  $http_upgrade;
    proxy_ssl_protocols TLSv1.3;
  }
}

# http://localhost:8081/: keycloak
server
{
  listen 8081;
  listen [::]:8081;

  location /
  {
    allow 192.168.0.0/16;
    allow 172.16.0.0/12;
    allow 10.0.0.0/8;
    deny all;

    # see /etc/resolv.conf
    resolver 127.0.0.11;
    proxy_pass http://keycloak:8080/;

    proxy_set_header Host              $http_host;
    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        "upgrade";
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

    proxy_intercept_errors on;
    proxy_http_version 1.1;
    proxy_cache_bypass  $http_upgrade;
  }
}

Anything else?

No response

Issue Analytics

State:
Created a year ago
Comments:14 (6 by maintainers)

Top GitHub Comments

1reaction

okftcommented, Sep 23, 2022

I don’t think this is the same issue since this one only applies to Firefox. I tried changing proxy=edge to proxy=reencrypt (and proxy_pass http://keycloak:8080/; to proxy_pass https://keycloak/; in localhost server block) and Firefox still failed to load the administration console until I disable “Enhanced Tracking Protection” feature on auth.example.com domain.

1reaction

pedroigorcommented, Sep 21, 2022

I would leave this one open but change the title to reflect the issue on FF.

I’m not sure yet how we can improve the server-side to workaround this constraint. Need to discuss this with the rest of the team.

Top Results From Across the Web

Third-party cookies and Firefox tracking protection

Some websites may not work properly when third-party cookies are blocked, even with the default setting, Cross-site tracking cookies — includes social media ......

browser is blocking 3rd party cookies | Firefox Support Forum

Firefox 96 made some SameSite/cross-site cookie handling stricter like Chrome and Edge, but various sites do not work correctly after this ...

Websites say cookies are blocked - Unblock them | Firefox Help

This article describes how to troubleshoot problems that involve websites reporting that cookies are blocked or disabled.

Introducing State Partitioning - the Web developer blog

State Partitioning is the new privacy feature called Total Cookie Protection, which will be available in ETP Strict Mode in Firefox 86.

Websites don't load - troubleshoot and fix error messages

Try clearing Firefox's cookies and cache · Click the menu button Fx89menuButton · Click History and select Clear Recent History… · In the...