We are using Keycloak 2.3.0.Final and we are using the Javascript adapter that is available at /auth/js/keycloak.js. The application that is using this adapter is an React+Redux application but that would not matter.
When we go through the auth process described in the docs the initial authentication is a success however when the login-status-iframe.html tries to refresh the token we get a 403 Forbidden.
The exact URL it's using to refresh the token /auth/realms/<customer-realm>/protocol/openid-c…id=web-portal&origin=http%3A%2F%2Flocalhost%3A8080&session_state=undefined.
Which causes a redirect again, again and again.
I'm assuming that this breaks because session_state param is undefined but sadly I can not find any documentation on this subject.
How do I resolve this?
We are using Keycloak 2.3.0.Final and we are using the Javascript adapter that is available at /auth/js/keycloak.js. The application that is using this adapter is an React+Redux application but that would not matter.
When we go through the auth process described in the docs the initial authentication is a success however when the login-status-iframe.html tries to refresh the token we get a 403 Forbidden.
The exact URL it's using to refresh the token /auth/realms/<customer-realm>/protocol/openid-c…id=web-portal&origin=http%3A%2F%2Flocalhost%3A8080&session_state=undefined.
Which causes a redirect again, again and again.
I'm assuming that this breaks because session_state param is undefined but sadly I can not find any documentation on this subject.
How do I resolve this?
Share Improve this question asked Nov 23, 2016 at 9:31 Ramon GebbenRamon Gebben 5451 gold badge4 silver badges18 bronze badges 2- 3 Have you found the answer? – Víctor Hugo Commented Jan 27, 2017 at 19:41
- No not really an answer, check if all the versions match. Because each version of keycloak comes with it's own keycloak.js. – Ramon Gebben Commented Feb 7, 2017 at 13:35
5 Answers
Reset to default 10I don't know if you ever found a solution, but I recently ran into this issue as well. In this issue thread, user djmason9's solution worked for me. Just add checkLoginIframe: false for the initOptions parameter.
This almost certainly is happening because your router is in "hash" mode and using hashes for the routes. I haven't figured out how to get the keycloak javascript adapter to work properly with hash-mode based routing, but at least you should know that's the issue you are up against. In Vue, you can set the router to "history" mode where it works without hashes, and that solves the problem. I am betting React has the same capability, as a work around.
(I realize this question is old, but it is surfacing at the top of duckduckgo searches and the problem still exists in current versions of the javascript adapter, so I felt like it could use an answer)
I had a similar problem with keycloak, but your solution might not be same.
The root cause was, I had spin up multiple instances of keycloak, but the loadbalancer didn't have sticky session. So every time the request was going on different instance, the cookie was invalid on that instance, it would redirect to login, and since it is logged in the process would repeat again.
For the solution, I have brought keycloak down to one instance, and I am looking at keycloak documentation on how to run a keycloak cluster.
Ensure that the Web Origins in Keycloak configuration has no trailing slash.
Have a look at the URL which returns 403, particularly the origin parameter. The value should contain the value defined in the Web Origin in the respective client.
I faced this issue and then solved it
I had the same issue, and I solved it adding the web origin on my keycloak client to "*"