Login redirect loop when running behind reverse-proxy #42999

ArthurAttout · 2025-09-26T14:39:04Z

ArthurAttout
Sep 26, 2025

Before reporting an issue

I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

When trying to log in with the bootstrap admin credentials into an instance of keycloak served behind an Apache2 reverse proxy, the login portal will enter a redirection loop after the credentials have been entered.

The following loop occurs :

The keycloak logs spam the line :

keycloak           | 2025-09-26 14:25:28,118 WARN  [org.keycloak.events] (executor-thread-7) type="REFRESH_TOKEN_ERROR", realmId="ccf276a9-e2ef-4e12-8071-1a563045c3dc", realmName="master", clientId="security-admin-console", userId="null", ipAddress="10.17.130.252", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
keycloak           | 2025-09-26 14:25:28,858 WARN  [org.keycloak.events] (executor-thread-9) type="REFRESH_TOKEN_ERROR", realmId="ccf276a9-e2ef-4e12-8071-1a563045c3dc", realmName="master", clientId="security-admin-console", userId="null", ipAddress="10.17.130.252", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
keycloak           | 2025-09-26 14:25:29,521 WARN  [org.keycloak.events] (executor-thread-7) type="REFRESH_TOKEN_ERROR", realmId="ccf276a9-e2ef-4e12-8071-1a563045c3dc", realmName="master", clientId="security-admin-console", userId="null", ipAddress="10.17.130.252", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"

The login portal performed the following request, which resulted in a HTTP 400 :

fetch("https://<REDACTED>/keycloak/realms/master/protocol/openid-connect/token", {
  "headers": {
    "accept": "*/*",
    "accept-language": "fr-FR,fr;q=0.9",
    "cache-control": "no-cache",
    "content-type": "application/x-www-form-urlencoded",
    "pragma": "no-cache",
    "sec-ch-ua": "\"Not;A=Brand\";v=\"99\", \"Google Chrome\";v=\"139\", \"Chromium\";v=\"139\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "same-origin"
  },
  "body": "grant_type=refresh_token&refresh_token=undefined&client_id=security-admin-console",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Version

quay.io/keycloak/keycloak:26.3.5

Regression

The issue is a regression

Expected behavior

Entering the bootstrap credentials should open the administration console.

Actual behavior

A login redirect loop occurs.

How to Reproduce?

Using the following Apache2 reverse proxy conf

<VirtualHost *:80>

	LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www

	# enable SSL
	#SSLEngine on
	#SSLCertificateFile /etc/ssl/certs/server.crt
	#SSLCertificateKeyFile /etc/ssl/private/server.key
	#SSLCertificateChainFile /etc/ssl/certs/server_chain.pem

	#enable logging
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# Configure Reverse Proxy entries
	ProxyPreserveHost On
	RewriteEngine On
		
	 <Location /keycloak>
		RequestHeader set X-Forwarded-Proto "https"
		RequestHeader set X-Forwarded-Host "<REDACTED>"
		RequestHeader set X-Forwarded-Port "443"
		ProxyPass http://keycloak:8080/keycloak/
		ProxyPassReverse http://keycloak:8080/keycloak/
	 </Location>

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

And the following docker-compose.yml for Keycloak

services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.3.5
    container_name: keycloak
    environment:
      - KC_HOST=<REDACTED>
      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
      - KC_BOOTSTRAP_ADMIN_PASSWORD=admin
      - KC_DB=postgres
      - KC_DB_USERNAME=keycloak
      - KC_DB_PASSWORD=keycloak
      - KC_DB_URL_HOST=postgres-keycloak
      - KC_HOSTNAME_STRICT=false
      - KC_HTTP_RELATIVE_PATH=/keycloak
      - KC_HTTP_ENABLED=true #encryption handled by reverse proxy
      #- PROXY_ADDRESS_FORWARDING=true
      - KC_PROXY_HEADERS=xforwarded
      #- KC_PROXY=edge
    command: start-dev


  db:
    image: postgres
    container_name: postgres-keycloak
    restart: always
    shm_size: 128mb
    environment:
      - POSTGRES_PASSWORD=keycloak
      - POSTGRES_USER=keycloak

networks:
  default:
    name: onviacab-network
    external: true

Anything else?

The request to /token which returns 400 is suspicious to me. Using undefined seems odd. However I have absolutely no idea how to track this bug.

The only additional info in the browser console is
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.

Answered by shawkins

Sep 29, 2025

Your situation and the screen cap of the request sequence seems similar to #40111 - can you double check if anything is causing keycloak cookies to be lost?

View full answer

shawkins · 2025-09-26T15:21:02Z

shawkins
Sep 26, 2025
Collaborator

Moved to a discussion initially. In most instances something with this description is due to the proxy configuration.

The relevant settings on the Keycloak side:

KC_HOSTNAME_STRICT=false
KC_HTTP_RELATIVE_PATH=/keycloak
KC_HTTP_ENABLED=true #encryption handled by reverse proxy
KC_PROXY_HEADERS=xforwarded

Indicate you are in an edge mode, and there is no fixed Keycloak hostname - which is not recommended.

Using the following Apache2 reverse proxy conf

I don't see encryption being handled by the proxy. That config snippet is showing the port 80 http configuration - but is setting forwarded headers as if the request is coming from https / 443. You should issue a redirect instead.

3 replies

ArthurAttout Sep 29, 2025
Author

I should have specified that my Apache2 server is already behind a load balancer that decrypts SSL communications for me. I'm only handling pure HTTP at my level. I don't manage that load balancer, although I can ensure that Keycloak receives the X-Forwarded-* HTTP headers

shawkins Sep 29, 2025
Collaborator

Have you used hostname-debug to double check what is being seen by the Keycloak server?

ArthurAttout Sep 29, 2025
Author

Yes, retrieved from https://redacted.hostname.hub/keycloak/realms/master/hostname-debug, and everything looks fine to me

URL	Value
Request	https://redacted.hostname.hub/keycloak/realms/master/hostname-debug
Frontend	https://redacted.hostname.hub/keycloak [OK]
Backend	https://redacted.hostname.hub/keycloak/ [OK]
Admin	https://redacted.hostname.hub/keycloak [OK]
Runtime	Value
Server mode	dev [start-dev]
Realm	master
Hostname SPI implementation	V2
Configuration property	Value
hostname	https://redacted.hostname.hub/keycloak
hostname-backchannel-dynamic	true
hostname-strict	false
proxy-headers	xforwarded
http-enabled	true
http-relative-path	/keycloak
http-port	8080
https-port	8443
Header	Value
Host	redacted.hostname.hub
X-Forwarded-For	10.77.111.240, 10.242.23.27
X-Forwarded-Host	redacted.hostname.hub
X-Forwarded-Proto	https

shawkins · 2025-09-29T12:14:26Z

shawkins
Sep 29, 2025
Collaborator

Your situation and the screen cap of the request sequence seems similar to #40111 - can you double check if anything is causing keycloak cookies to be lost?

2 replies

ArthurAttout Sep 29, 2025
Author

According to #40111, the issue disappeared after removing the HttpOnly attribute from the cookies stored for Keycloak.
The browser cookie inspector shows they are all HttpOnly. So Javascript cannot access them (which I suppose is a problem).

It looks like my issue is upstream. Will keep you updated if it's related to the Keycloak config in any means.

ArthurAttout Oct 2, 2025
Author

I confirm this was due to a server somewhere in my upstream, setting an HttpOnly attribute to every Set-Cookie header.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Login redirect loop when running behind reverse-proxy #42999

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 5 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Login redirect loop when running behind reverse-proxy #42999

Uh oh!

ArthurAttout Sep 26, 2025

Before reporting an issue

Area

Describe the bug

Version

Regression

Expected behavior

Actual behavior

How to Reproduce?

Anything else?

Replies: 2 comments · 5 replies

Uh oh!

shawkins Sep 26, 2025 Collaborator

Uh oh!

ArthurAttout Sep 29, 2025 Author

Uh oh!

shawkins Sep 29, 2025 Collaborator

Uh oh!

ArthurAttout Sep 29, 2025 Author

Uh oh!

shawkins Sep 29, 2025 Collaborator

Uh oh!

ArthurAttout Sep 29, 2025 Author

Uh oh!

ArthurAttout Oct 2, 2025 Author

ArthurAttout
Sep 26, 2025

Replies: 2 comments 5 replies

shawkins
Sep 26, 2025
Collaborator

ArthurAttout Sep 29, 2025
Author

shawkins Sep 29, 2025
Collaborator

ArthurAttout Sep 29, 2025
Author

shawkins
Sep 29, 2025
Collaborator

ArthurAttout Sep 29, 2025
Author

ArthurAttout Oct 2, 2025
Author