-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
With the “keycloak” provider cookie-refresh does not work #501
Comments
The keycloak provider does not currently store refresh tokens in the session state and therefore cannot be used with session refreshing. However, you should be able to use the OIDC provider with Keycloak instead, there have been several discussions related to this (eg #479) already, please let me know if you have any reason you cannot use the OIDC provider as is |
Thanks a lot for your prompt response! I can use the OIDC provider as an alternative. Until #479 has been resolved, users might appreciate finding this limitation mentioned in the documentation. |
Yeah we should put this in the docs, until that happens, hopefully users will find this issue and see our conversation |
@devopsix are you able to open a PR to help us with our docs? |
PR #543 created. |
It turned out that the OIDC provider does not work as an alternative for me. As far as I understand, the OIDC provider does not have a configuration option equivalent to |
We should aim, long term, to unify these codebases and have a single |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
Still relevant. PR #543 has a pending code owner review. |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
With the “keycloak” provider the cookie-refresh feature does not work. Instead of using the refresh token for acquiring a new access token in the background, the user is redirected to Keycloak.
Expected Behavior
Given a web page which is protected by OAuth2 Proxy configured to use Keycloak as the identity provider
and given a user has authenticated and has loaded the page
when the user reloads the page after the cookie-refresh duration is over and before the cookie-expire period is over
then the page should reload without any redirection occurring.
Current Behavior
Given the same as above
when the same as above
then the user is redirected to the Keycloak authentication endpoint, is automatically authenticated there by his SSO cookie, is redirected to the proxy's callback URL and is then redirected to the actual page.
Steps to Reproduce
Given the attached
docker-compose.yml
file:docker-compose up -d
.http://localhost:8080/auth/admin
in web browser and log in as user “keycloak” with password “keycloak”.realm-export.json
.http://localhost:8081
in web browser.Context
While this does not make much of a difference for loading a frontend page, it is an issue for background XHR requests in single-page apps.
With the “oidc” provider configured to use the same Keycloak instance as the identity provider cookie-refresh does work as expected. Try with
http://localhost:8082
.Excerpt from OAuth2 Proxy log with “keycloak” provider:
Excerpt from OAuth2 Proxy log with “oidc” provider:
Environment
See
docker-compose.xml
andrealm-export.json
in keycloak-oauth2-proxy-example.zip.Version used: v5.1.0
The text was updated successfully, but these errors were encountered: