Keycloak - Kubernetes - ingress.nginx infinite auth loop

[AlmostDoneRight]

Hi there!

I am hoping someone can point me in the right direction.. I am trying to resolve an auth loop between KC and my Dashboard. Love this project btw!

Current Setup:

• Docker image: 2.0.2
• Container hosted in a Kubernetes Cluster
• Cluster running ingress.nginx
• letsencrypt cert for https
• Auth: Keycloak (latest version)

Keycloak

• Realm and Client_ID setup
• Standard Flow Enabled
• Valid Redirect: https://website.com/* and https://ip:port/*
• WebOrigins: https://webiste.com (tried all direct paths to my dashboard) I have also tried just "*"

Dashy ENV

• tried with and without "BASE_URL"
• Production

Issue

• Navigate to https://webiste.com >> Keycloak auth (login) >> authenticated, redirects back>> Stuck on Dashy Loading screen
• Navigation bar shows a back and forth ......url >> url + secured string >> url
• logs:
  Token: Error CORS xhr
  Cookies:
• KC remember me
• Auth Session ID legacy
• KC session legacy
• KC identity legacy
• _ga
• KC 3p cookie
• KC 3p cookie same site

I have added cors policy to my ingress as well with no luck there.

Any help is much appreciated :)

[Lissy93]

Heya @AlmostDoneRight
Sorry you're having issues :(
Was everything working okay before you setup Keycloak? Are you using Keycloak with any other services, and if so, is that all working fine?
Do you think you could share the contents of the browser console, I think that may show what the issue is (if you're unsure how, here's a guide).

[AlmostDoneRight]

Thanks @Lissy93 for getting back to me! :)

If I disable authentication, everything works fine.

I do have a wide variety of applications/services running on this cluster using KC without issue. This one has me stumped, ha! I'm sure it's something small I overlooked.

Here is my console dump,

Navigated to https://dashydashboard.aimit.io/
​ Fetch finished loading: POST "https://o937511.ingest.sentry.io/api/5887934/envelope/?sentry_key=3138ea85f15a4fa883a5b27a4dc8ee28&sentry_version=7".
(anonymous) @ chunk-vendors.075e4402.js:1
e @ chunk-vendors.075e4402.js:1
(anonymous) @ chunk-vendors.075e4402.js:1
n @ chunk-vendors.075e4402.js:1
t._sendRequest @ chunk-vendors.075e4402.js:1
e.sendSession @ chunk-vendors.075e4402.js:1
e.sendSession @ chunk-vendors.075e4402.js:1
e._sendSession @ chunk-vendors.075e4402.js:1
e.captureSession @ chunk-vendors.075e4402.js:1
e._sendSessionUpdate @ chunk-vendors.075e4402.js:26
e.captureSession @ chunk-vendors.075e4402.js:26
Kt @ chunk-vendors.075e4402.js:1
Yt @ chunk-vendors.075e4402.js:1
Nt @ chunk-vendors.075e4402.js:1
pi @ chunk-vendors.075e4402.js:1
Qe @ dashy.3f020fe1.js:1
56d7 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
0 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
a @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1
dashydashboard.aimit.io/:1 Access to XMLHttpRequest at 'https://id.aimitservices.com/auth/realms/AIM_IT_Services/protocol/openid-connect/token' from origin 'https://dashydashboard.aimit.io' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
​ POST https://id.aimitservices.com/auth/realms/AIM_IT_Services/protocol/openid-connect/token net::ERR_FAILED 200
(anonymous) @ unknown
(anonymous) @ chunk-vendors.075e4402.js:1
(anonymous) @ chunk-vendors.075e4402.js:78
C @ chunk-vendors.075e4402.js:13
(anonymous) @ chunk-vendors.075e4402.js:13
Promise.then (async)
u @ chunk-vendors.075e4402.js:13
Promise.then (async)
(anonymous) @ chunk-vendors.075e4402.js:13
Promise.then (async)
a.init @ chunk-vendors.075e4402.js:13
(anonymous) @ dashy.3f020fe1.js:1
login @ dashy.3f020fe1.js:1
p @ dashy.3f020fe1.js:1
56d7 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
0 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
a @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1
​ XHR failed loading: POST "https://id.aimitservices.com/auth/realms/AIM_IT_Services/protocol/openid-connect/token".
(anonymous) @ unknown
(anonymous) @ chunk-vendors.075e4402.js:1
(anonymous) @ chunk-vendors.075e4402.js:78
C @ chunk-vendors.075e4402.js:13
(anonymous) @ chunk-vendors.075e4402.js:13
Promise.then (async)
u @ chunk-vendors.075e4402.js:13
Promise.then (async)
(anonymous) @ chunk-vendors.075e4402.js:13
Promise.then (async)
a.init @ chunk-vendors.075e4402.js:13
(anonymous) @ dashy.3f020fe1.js:1
login @ dashy.3f020fe1.js:1
p @ dashy.3f020fe1.js:1
56d7 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
0 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
a @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1
Navigated to https://dashydashboard.aimit.io/
​ Fetch finished loading: POST "https://o937511.ingest.sentry.io/api/5887934/envelope/?sentry_key=3138ea85f15a4fa883a5b27a4dc8ee28&sentry_version=7".
(anonymous) @ chunk-vendors.075e4402.js:1
e @ chunk-vendors.075e4402.js:1
(anonymous) @ chunk-vendors.075e4402.js:1
n @ chunk-vendors.075e4402.js:1
t._sendRequest @ chunk-vendors.075e4402.js:1
e.sendSession @ chunk-vendors.075e4402.js:1
e.sendSession @ chunk-vendors.075e4402.js:1
e._sendSession @ chunk-vendors.075e4402.js:1
e.captureSession @ chunk-vendors.075e4402.js:1
e._sendSessionUpdate @ chunk-vendors.075e4402.js:26
e.captureSession @ chunk-vendors.075e4402.js:26
Kt @ chunk-vendors.075e4402.js:1
Yt @ chunk-vendors.075e4402.js:1
Nt @ chunk-vendors.075e4402.js:1
pi @ chunk-vendors.075e4402.js:1
Qe @ dashy.3f020fe1.js:1
56d7 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
0 @ dashy.3f020fe1.js:1
l @ dashy.3f020fe1.js:1
a @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1
(anonymous) @ dashy.3f020fe1.js:1

[Lissy93]

Thanks, that's helpful. Looking at that error, it's a CORS error caused by the wildcard in the header.

For requests that transport sensitive info, setting the accept header to * is not allowed (see MDN Docs).

So the solution is to update the header to include the URL where you're hosting Dashy, and removing the wildcard. E.g.

Access-Control-Allow-Origin: https://dashy.example.com

Hope that helps, lemme know if you need more info :)

[AlmostDoneRight]

I am going to figure this out eventually!

I was hoping that my ingress CORS policy would solve this. To confirm I should be updating this on the Dashy instance, correct? The failure is the weborigin not accepting the "*" when the request comes across for the KC token.

CORS Policy:
https://projectcontour.io/docs/main/config/cors/

    corsPolicy:
      allowCredentials: true
      allowOrigin: 
        - "https://dashydashboard.aimit.io"
      allowMethods:
        - GET
        - POST
      allowHeaders:
        - Access-Control-Allow-Origin
        - X-CustomHeader
      maxAge: "60m"

I will look into updating this on the deployment.

Thanks again for your time, this has been a fantastic learning experience with Kubernetes!

[Lissy93]

To confirm I should be updating this on the Dashy instance, correct? The failure is the weborigin not accepting the "*" when the request comes across for the KC token.

Oops, I forgot to say that those headers need to be on KC rather than Dashy, as the failure comes from Dashy making the confirmation request which is being rejected by Keycloak.

And just to check, in your Keycloak dashboard there is a field called Valid Redirect URIs (secreenshot), have you put Dashy's URL there?

If this still isn't working, then it could be a bug in Dashy when used with Kubernetes, I'm still quite new to Kubernetes but will try and look into it :)

[AlmostDoneRight]

And just to check, in your Keycloak dashboard there is a field called Valid Redirect URIs (secreenshot), have you put Dashy's URL there?

Yep, you are correct, I have the Valid Redirect URIs section filled out.

I will continue to poke around at it. Let me know if you have any questions on the K8's side of things.

[AlmostDoneRight]

@Lissy93 Finally figured it out!!!!

The CORS issue was coming from the ingress configuration on the KeyCloak side. The ingress was keeping a static Access-Control-Allow-Origin of "*". Thanks again for taking a look at it!

Documentation: Ingress-nginx

    nginx.ingress.kubernetes.io/cors-allow-origin: "https://dashydashboard.aimit.io"
    #nginx.ingress.kubernetes.io/cors-expose-headers: "*"
    #nginx.ingress.kubernetes.io/cors-allow-headers: "*"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    #nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"

[Lissy93]

Nice one! 🙌
Very glad you've got it working, and thank for posting the solution :)