Problems using Keycloak with an AWS Application Load Balancer
1,467 views
Skip to first unread message
Brian Levine
Dec 8, 2021, 9:22:53 AM12/8/21
to Keycloak User
I've set up an Application Load Balancer with a rule that authenticates
via OIDC using Keycloak. When I hit the protected route, I'm correctly
redirected to Keycloak, but when I authenticate, I get an HTTP 561
error. According to the AWS docs this indicates that the IDPs token endpoint returned an
error. However I see nothing in the Keycloak server log to indicate
what that error is. Looking at posts from years ago I see that there
were some issues integrating ALBs with Keycloak because the ALB was not
correctly following the OIDC spec. See: https://lists.jboss.org/pipermail/keycloak-user/2018-July/014731.html
Note that that issue didn't mention a 561 error although the problem was related to the token endpoint.
I don't know whether this issue was
ever addressed by Amazon so I'm wondering if any folks have gotten this
to work.
dc...@prosentient.com.au
Dec 8, 2021, 5:21:29 PM12/8/21
to Brian Levine, Keycloak User
How disappointing.
It looks like AWS were made aware of the issue years ago and said they were even fixing it but doesn’t look like they did: https://forums.aws.amazon.com/thread.jspa?messageID=941082
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/a29af31e-8acb-44e0-9e17-99a3794f7e62n%40googlegroups.com.
Thomas Darimont
Dec 8, 2021, 6:05:37 PM12/8/21
to dc...@prosentient.com.au, Brian Levine, Keycloak User
Hello David, Hello Brian,
Are you referring to the "token_type" claim of the AccessTokenResponse?
In Keycloak 15.0.2 there is the possibility to adjust the generated AccessTokenResponse with a custom
`org.keycloak.protocol.oidc.mappers.OIDCAccessTokenResponseMapper`. With this you might be able to create a client specific OIDC ProtocolMapper
Are you referring to the "token_type" claim of the AccessTokenResponse?
In Keycloak 15.0.2 there is the possibility to adjust the generated AccessTokenResponse with a custom
`org.keycloak.protocol.oidc.mappers.OIDCAccessTokenResponseMapper`. With this you might be able to create a client specific OIDC ProtocolMapper
that implements the OIDCAccessTokenResponseMapper interface and simply emit the proper token_type value via code like:
```
AccessTokenResponse res = ...;
res.setTokenType("Bearer");
```
Currently Keycloak returns:
```
...
token_type: "Bearer"
...
```
in the AccessTokenResponse.
How should the value look like to be compatible with AWS?
Cheers,
Thomas
```
AccessTokenResponse res = ...;
res.setTokenType("Bearer");
```
Currently Keycloak returns:
```
...
token_type: "Bearer"
...
```
in the AccessTokenResponse.
How should the value look like to be compatible with AWS?
Cheers,
Thomas
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/01f901d7ec81%24ec2b8390%24c4828ab0%24%40prosentient.com.au.
Message has been deleted
Jan Garaj
Dec 9, 2021, 1:56:41 PM12/9/21
to Keycloak User
Contact your AWS support first and ask for explanation. Support has access to the logs, which you as an user doesn't have. I bet it is only client config issue. I don't remember any 561 problem, when I was using AWS ALB OIDC auth with the Keycloak.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages