Keycloak login succeds but redirect fails

I'm running a Keycloak IdP system, based on Docker compose. The goal is to use that SSO service to login into some WordPress sites that have the OpenID connect generic plugin installed. The problem is that after submitting the login form provided by Keycloak, the visitor is not redirected to the right page of the client WP site. Instead, a "page not found" message is displayed immediately. However, after hitting the back button of the browser and returning to the origin URL, you find out that the session was initiated, and the user is logged in. In other words, login succeeds but redirect fails. The URL that generates the 404 error looks like: https://sso.mydomain.com/realms/test-realm/protocol/openid-connect/a8bf9bca-ea1d-4880-a7df-abe8c8a9d9e9 I'm using Nginx proxy manager in front of my containers. This is what I've checked during troubleshooting: Client and realm settings on Keycloak are OK, including allowed redirect URIs (wildcards used to be sure) Connectivity between containers seems OK (ping, DNS resolution and so on) Logs reveal the 404 error after login, but are not useful to further diagnose the problem: 2024-08-23 16:08:26,977 DEBUG [org.keycloak.events] (executor-thread-31) type="LOGIN", realmId="980624ca-fffb-4c23-b834-aab39e2b9f33", realmName="test-realm", clientId="test-wordpress", userId="3f1fea43-252a-4516-b31e-f8494c1eb2cb", sessionId="3e70e986-9c97-45a1-8b4e-4f54b5ffff07", ipAddress="1.2.3.4", auth_method="openid-connect", auth_type="code", response_type="code", redirect_uri="https://mywpsite.com/wp-admin/admin-ajax.php?action=openid-connect-authorize", consent="no_consent_required", code_id="3e70e986-9c97-45a1-8b4e-4f54b5ffff07", username="tester@nomail.com", response_mode="query", authSessionParentId="3e70e986-9c97-45a1-8b4e-4f54b5ffff07", authSessionTabId="ihbb-p6__b0" 2024-08-23 16:08:28,033 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-31) new JtaTransactionWrapper 2024-08-23 16:08:28,033 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-31) was existing? false 2024-08-23 16:08:28,034 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-31) Recalculated absoluteURI to https://sso.mydomain.com/realms/test-realm/protocol/openid-connect/token 2024-08-23 16:08:28,036 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-31) AUTHENTICATE CLIENT 2024-08-23 16:08:28,036 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-31) client authenticator: client-secret 2024-08-23 16:08:28,036 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-31) client authenticator SUCCESS: client-secret 2024-08-23 16:08:28,036 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-31) Client test-wordpress authenticated by client-secret 2024-08-23 16:08:28,063 DEBUG [org.hibernate.internal.util.EntityPrinter] (executor-thread-31) org.keycloak.models.jpa.session.PersistentClientSessionEntity{data={"authMethod":"openid-connect","redirectUri":"https://mywpsite.com/wp-admin/admin-ajax.php?action=openid-connect-authorize","notes":{"clientId":"aac286a8-f85b-49a5-a1db-91bd57cd65f5","scope":"email profile openid offline_access","userSessionStartedAt":"1724429306","iss":"https://sso.mydomain.com/realms/test-realm","startedAt":"1724429306","response_type":"code","level-of-authentication":"-1","redirect_uri":"https://mywpsite.com/wp-admin/admin-ajax.php?action=openid-connect-authorize","state":"1a1a903e331296f20dacbe7222da1f72"}}, version=0, timestamp=1724429308} 2024-08-23 16:08:28,063 DEBUG [org.hibernate.internal.util.EntityPrinter] (executor-thread-31) org.keycloak.models.jpa.session.PersistentUserSessionEntity{realmId=980624ca-fffb-4c23-b834-aab39e2b9f33, data={"ipAddress":"1.2.3.4","authMethod":"openid-connect","rememberMe":false,"started":0,"notes":{"KC_DEVICE_NOTE":"eyJpcEFkZHJlc3MiOiIxODEuNTguMzkuMTY4Iiwib3MiOiJXaW5kb3dzIiwib3NWZXJzaW9uIjoiMTAiLCJicm93c2VyIjoiRmlyZWZveC8xMjkuMCIsImRldmljZSI6Ik90aGVyIiwibGFzdEFjY2VzcyI6MCwibW9iaWxlIjpmYWxzZX0=","AUTH_TIME":"1724429306","authenticators-completed":"{"5bf5dc97-65e1-4941-b8ba-8c36cc5c2f76":1724429306}"},"state":"LOGGED_IN"}, brokerSessionId=null, createdOn=1724429306, lastSessionRefresh=1724429308, userId=3f1fea43-252a-4516-b31e-f8494c1eb2cb, version=0} 2024-08-23 16:08:28,064 DEBUG [org.hibernate.SQL] (executor-thread-31) insert into public.OFFLINE_USER_SESSION (BROKER_SESSION_ID,CREATED_ON,DATA,LAST_SESSION_REFRESH,REALM_ID,USER_ID,version,OFFLINE_FLAG,USER_SESSION_ID) values (?,?,?,?,?,?,?,?,?) 2024-08-23 16:08:28,122 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-31) Recalculated absoluteURI to https://sso.mydomain.com/realms/test-realm/protocol/openid-connect/3e70e986-9c97-45a1-8b4e-4f54b5ffff07 2024-08-23 16:08:28,122 DEBUG [WebApplicationException] (executor-thread-31) Restarting handler chain for exception exception: jakarta.ws.rs.WebApplicationException: HTTP 404 Not Found at org.jboss.resteasy.reactive.server.handlers.ResourceLocatorHandler.handle(ResourceLocatorHandler.java:79) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583) 2024-08-23 16:08:28,123 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-31) Error response 404: jakarta.ws.rs.WebApplicationException: HTTP 404 Not Found at org.jboss.resteasy.reactive.server.handlers.ResourceLocatorHandler.handle(ResourceLocatorHandler.java:79) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583) This is the docker-compose file for the Keycloak service: version: '3' volumes: postgres_data: driver: local services: postgres: container_name: keycloak-postgres image: postgres:latest volumes: - postgres_data:/var/lib/postgresql/data environment: POSTGRES_DB: keycloak POSTGRES_USER: keycloak POSTGRES_PASSWORD: 123456 healthcheck: test: "exit 0" keycloak: container_name: keycloak image: quay.io/keycloak/keycloak command: ["start-dev", "--http-port=8088"] environment: KC_DB: postgres KC_DB_URL_HOST: postgres KC_DB_URL_DATABASE: keycloak KC_DB_PASSWORD: 123456 KC_DB_USERNAME: keycloak KC_DB_SCHEMA: public KC_LOG_LEVEL: debug #Use "debug" for troubleshooting KEYCLOAK_ADMIN: admin KEYCLOAK_ADMIN_PASSWORD: secret KC_HTTP_PORT: 8088 # Change default port here if needed KC_HOSTNAME_STRICT: "false" KC_HOSTNAME_STRICT_HTTPS: "false" KC_HTTP_ENABLED: "true" KC_PROXY: edge #Used to make it work with Ngnix reverse proxy KC_HOSTNAME: "sso.mydomain.com" KEYCLOAK_FRONTEND_URL: "https://sso.mydomain.com" volumes: - ./themes:/opt/keycloak/themes ports: - 8088:8088 # Port 8080 was unavailable depends_on: postgres: condition: service_healthy Thanks for your suggestions :)

Comment (0)

You’ll be in good company