Redirection to /auth_error by keycloak despite being logged in.

[Qnouro]

Hello,

Context

We have a shinyproxy instance running alongside a keycloak instance. Sometimes (not always), when a user connects (successfully), it gets redirected to the /auth_error page. Refreshing or clicking on "Go back to the main page" redirects them to the shinyproxy homepage.

We aren't certain but we suspect that we may have a redirect loop as referred to in the documentation: https://www.shinyproxy.io/documentation/troubleshooting/#my-browser-reports-a-redirect-loop-when-using-openid-connect.

Shinyproxy version: 3.1.1 (we had the same issue in 3.1.0)

Logs:

Keycloak log:

2024-09-17 08:05:12,154 WARN  [org.keycloak.events] (executor-thread-632) type="RESTART_AUTHENTICATION_ERROR", realmId="my_realm_id", realmName="my_realm", clientId="shinyproxy", userId="null", ipAddress="10.0.0.2", error="already_logged_in", response_type="code", redirect_uri="[https://my_app.com/login/oauth2/code/shinyproxy"](https://my_app.com/login/oauth2/code/shinyproxy%22), redirected_to_client="true", response_mode="query"

Shinyproxy log:

2024-09-17T08:05:07.604573918Z INFO Initializing Spring DispatcherServlet 'dispatcherServlet' | @timestamp=2024-09-17T08:05:07.604190001Z @version=1 logger_name=io.undertow.servlet thread_name=XNIO-1 task-2 level_value=20000
 
2024-09-17T08:05:07.604765895Z INFO Initializing Servlet 'dispatcherServlet' | @timestamp=2024-09-17T08:05:07.604677388Z @version=1 logger_name=o.s.web.servlet.DispatcherServlet thread_name=XNIO-1 task-2 level_value=20000
 
2024-09-17T08:05:07.606882550Z INFO Completed initialization in 2 ms | @timestamp=2024-09-17T08:05:07.606776342Z @version=1 logger_name=o.s.web.servlet.DispatcherServlet thread_name=XNIO-1 task-2 level_value=20000
 
2024-09-17T08:05:11.947004461Z INFO User logged in [user: my_username] | @timestamp=2024-09-17T08:05:11.946803639Z @version=1 logger_name=e.o.containerproxy.service.UserService thread_name=XNIO-1 task-2 level_value=20000
 
2024-09-17T08:05:12.169331558Z ERROR org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found] | @timestamp=2024-09-17T08:05:12.169103017Z @version=1 logger_name=e.o.c.a.impl.OpenIDAuthenticationBackend thread_name=XNIO-1 task-3 level_value=40000

How to reproduce

The error is hard to reproduce and, in the same conditions, doesn't always happen.

It however seems to happen in the following scenario:

• User has been logged in the and using an app hosted on shinyproxy

• Day is over and the user hasn't explicitely clicked on "logout". Browser gets closed + PC shut down

• The following day the user logs into my_app.com

• The user is redirected to the login page and they enter their credentials

• They get redirected to the /auth_error page.

Please note that when clicking on "Go back to the main page", the user is redirected to the homepage and is effectively already logged in. We can also see in the shinyproxy logs that the user has been logged in before the error is raised (instantly afterwards).

Potential tracks

Some tracks we have:

• The token lifespans are mismatched between the configurations of keycloak and shinyproxy:

  • We couldn't detect anything wrong with the tokens

  • We had this problem with and without redis so it doesn't seem related to that either.

• We have considered implementing an NGinx server (as it was done here: Shinyproxy landing on /error with 200 OK status code after login #166) to handle the "already_logged_in" and throw a 200 OK instead of an error (since there is no problem in the authentication flow).

  • This however seems overkill and we would prefer to avoid it.

Configurations

Shinyproxy

applications.yml:

logging:
  file:
    name: /var/log/shinyproxy.log
usage-stats-url: micrometer
management:
  prometheus:
    metrics:
      export:
        enabled: true
 
spring:
  session:
    store-type: redis
  data:
    redis:
      host: redis
      password: my_redis_password
 
server:
  forward-headers-strategy: native
  frame-options: sameorigin
  secure-cookies: true
  servlet:
    session:
      timeout: -1
 
proxy:
  store-mode: Redis
  stop-proxies-on-shutdown: false
  log-as-json: true
  admin-groups:
  - shinyproxy_admin
  container-backend: docker
  container-wait-time: 60000
  docker:
    container-network: shinyproxy_network
    internal-networking: true
    image-pull-policy: always
    privileged: false
    service-wait-time: 120000
  heartbeat-rate: 10000
  heartbeat-timeout: 60000
  logo-url: https://www.openanalytics.eu/shinyproxy/logo.png
  landing-page: /
  title: Applications
  hide-navbar: false
  port: 8080
  usage-stats-micrometer-prefix: shinyproxy
  usage-stats-url: micrometer
  authentication: openid
  openid:
    auth-url: https://my_sso.com/realms/my_realm/protocol/openid-connect/auth
    token-url: https://my_sso.com/realms/my_realm/protocol/openid-connect/token
    jwks-url: https:/my_sso.com/realms/my_realm/protocol/openid-connect/certs
    client-id: my_keycloak_client_id
    client-secret: my_keycloak_client_secret
    logout-url: https://my_sso.com/realms/my_realm/protocol/openid-connect/logout?id_token_hint=#{oidcUser.idToken.tokenValue}&returnTo=https%3A%2F%2Fmy_app.com/logout-success
    username-attribute: preferred_username
    roles-claim: groups

Keycloak

Keycloak realm settings that may be related/interesting:

• Access settings:

  • Valid redirect URIs: https://my_app.com/*
  • Valid post logout redirect URIs: https://my_app.com/logout-success
  • Authentication flow: Standard flow + implicit flow + direct access grants

• Sessions:

  • SSO session idle: 30mn
  • SSO session max: 10hrs
  • Login timeout: 30mn
  • Login action timeout: 5mn

• Tokens:

  • OAuth 2.0 Device Code Lifespan: 10mn
  • OAuth 2.0 Device Polling Interval: 5
  • Lifetime of the request URI fo rpushed authorization request: 1mn
  • Revoke refresh token: Disabled
  • Access token lifespan: 5mn
  • Access token lifespan for implicit flow: 15mn
  • Client login timeout: 1mn
  • user-initiated action lifespan: 5mn

Thank you in advance for your help and time!

Nour