identity provider between 2 KC fails: 502 Bad gateway, ArrayIndexOutOfBoundsException

[pham lan]

Hello,

I have 2 seperate KC (v19.0.3) Vms behind reverse proxy each. I did configure KC2 as oidc identity provider for KC1. So when I try to log into account consonle from KC1, it gives me option to authenticate using KC1, after I type in the correct username/password, i got the error: Unexpected error when authenticating with identity provider.

On browser Inspector, it gave 502 Bad gateway error. I did the curl test and KC1 and KC2 can reach eachother from public URL.
I can see on KC1 the Session for this user exist. Looks like only the redirection from KC2 back to KC1 fails.
On each KC, I configure proxy for outgoing connection:
spi-connections-http-client-default-proxy-mappings=http://PROXY_IP:8080

On KC1 log, i found this error:
2022-12-04 07:58:06,872 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-0) Failed to make identity provider oauth callback: java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1
at org.keycloak.connections.httpclient.ProxyMappings$ProxyMapping.valueOf(ProxyMappings.java:224)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
at org.keycloak.connections.httpclient.ProxyMappings.valueOf(ProxyMappings.java:79)
at org.keycloak.connections.httpclient.ProxyMappings.valueOf(ProxyMappings.java:98)
at org.keycloak.connections.httpclient.DefaultHttpClientFactory.lazyInit(DefaultHttpClientFactory.java:165)
at org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:80)
at org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:66)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:270)
at jdk.internal.reflect.GeneratedMethodAccessor34.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:166)
at com.sun.proxy.$Proxy51.getProvider(Unknown Source)

Does anyone have idea what might be wrong here?

Thanks,
Lan

[Johannes Reppin]

Hi,

the only time I've encountered anything similar (Nginx 502) was when `proxy_buffer_size` was too small.

The default is 8k afaik, so change it to something higher, even 16k should be enough.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size

I encountered this issue in a Kubernetes Ingress Nginx situation but the problem sounds similar enough to 

give it a try.

Cheers,
Johannes

[Arulaln A R]

I agree with Johannes. Yes, we also faced this type of proxy buffer issue. Upon increasing, it started working again.

I would suggest during the error, trace the nginx logs. It will give a more clear idea about the error.

Below are the configurations related to nginx config which we have added

proxy_busy_buffers_size   512k;

proxy_buffers   8 512k;

proxy_buffer_size   256k;

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/016c0955-1e81-479d-bfd9-b83f0970b4cdn%40googlegroups.com.

--

Regards,

Arulaln A R

+91-8754438576