Skip to content
This repository has been archived by the owner on Oct 5, 2022. It is now read-only.

Infinite Loop when redirect after login #2

Open
vittoN opened this issue Jun 12, 2018 · 5 comments
Open

Infinite Loop when redirect after login #2

vittoN opened this issue Jun 12, 2018 · 5 comments

Comments

@vittoN
Copy link

vittoN commented Jun 12, 2018

Hi, i am trying to use jenkins plugin for keycloak but facing with the following problem. When i try to login from jenkins it correctly redirect me to the keycloak login page but when i insert credentials i get an endless redirect between jenkins and keycloak.

This is what i get from log:

jenkins-new    | Jun 12, 2018 2:04:27 PM hudson.security.csrf.CrumbFilter doFilter
jenkins-new    | WARNING: No valid crumb was included in request for /auth/realms/demo/protocol/openid-connect/token. Returning 403.
jenkins-new    | Jun 12, 2018 2:04:27 PM org.jenkinsci.plugins.KeycloakSecurityRealm doFinishLogin
jenkins-new    | SEVERE: Authentication Exception 
jenkins-new    | org.keycloak.adapters.ServerRequest$HttpFailure
jenkins-new    | 	at org.keycloak.adapters.ServerRequest.error(ServerRequest.java:288)
jenkins-new    | 	at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:115)
jenkins-new    | 	at org.jenkinsci.plugins.KeycloakSecurityRealm.doFinishLogin(KeycloakSecurityRealm.java:226)
jenkins-new    | 	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
jenkins-new    | 	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
jenkins-new    | 	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
jenkins-new    | 	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
jenkins-new    | 	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
jenkins-new    | 	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
jenkins-new    | 	at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209)
jenkins-new    | 	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
jenkins-new    | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
jenkins-new    | 	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
jenkins-new    | 	at org.jenkinsci.plugins.RefreshFilter.doFilter(RefreshFilter.java:96)
jenkins-new    | 	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
jenkins-new    | 	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:86)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
jenkins-new    | 	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
jenkins-new    | 	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
jenkins-new    | 	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
jenkins-new    | 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
jenkins-new    | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
jenkins-new    | 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
jenkins-new    | 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
jenkins-new    | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
jenkins-new    | 	at org.eclipse.jetty.server.Server.handle(Server.java:564)
jenkins-new    | 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317)
jenkins-new    | 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
jenkins-new    | 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
jenkins-new    | 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
jenkins-new    | 	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
jenkins-new    | 	at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128)
jenkins-new    | 	at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222)
jenkins-new    | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294)
jenkins-new    | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199)
jenkins-new    | 	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
jenkins-new    | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
jenkins-new    | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
jenkins-new    | 	at java.lang.Thread.run(Thread.java:748)
jenkins-new    | 
jenkins-new    | Jun 12, 2018 2:04:27 PM org.jenkinsci.plugins.KeycloakSecurityRealm doFinishLogin
jenkins-new    | SEVERE: Failure Message<html>
jenkins-new    | <head>
jenkins-new    | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
jenkins-new    | <title>Error 403 No valid crumb was included in the request</title>
jenkins-new    | </head>
jenkins-new    | <body><h2>HTTP ERROR 403</h2>
jenkins-new    | <p>Problem accessing /auth/realms/demo/protocol/openid-connect/token. Reason:
jenkins-new    | <pre>    No valid crumb was included in the request</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>
jenkins-new    | 
jenkins-new    | </body>
jenkins-new    | </html>
jenkins-new    | 
jenkins-new    | Jun 12, 2018 2:04:27 PM org.jenkinsci.plugins.KeycloakSecurityRealm doFinishLogin
jenkins-new    | SEVERE: Failure HTTP Status403

This is my docker-compose:

jenkins-new:
  image: jenkins/jenkins:2.73.3
  container_name: jenkins-new
  networks:
    app_net:
      ipv4_address: 172.20.0.49
  #restart: always
  ports:
    - "8086:8080"

Here my configuration of keycloak client:

immagine

Screenshoot of http reqests:

immagine

immagine

immagine

immagine

Thanks in advance.

@devlauer
Copy link
Owner

Hi vittoN,

this project is now part of the official jenkins community and moved to https://github.com/jenkinsci/keycloak-plugin . It is also part of the official plugin repository / update site jenkins-ci.org where you can get the current release of this plugin (for more information have a look at the official wiki page (https://wiki.jenkins.io/display/JENKINS/keycloak-plugin)).

The version hosted on my private update-site as described on the readme.md is quite old and contains an error which can lead to an infinite loop if you use an keycloak server version newer than 3.0.0.Final. This error was fixed in Version 2.0.3 (https://github.com/jenkinsci/keycloak-plugin/blob/master/Changelog.md). The current version of this plugin is 2.2.0. Which plugin version do you use?

The other possible reason for your infinite loop could be an error in your docker configuration. For the processing of each authentication request this plugin needs to communicate to your keycloak server for token validation and user information retrieval. Therefore this plugin uses the auth-server-url of your keycloak json configuration. If this URL can not be resolved/accessed from inside your jenkins docker container, this plugin will treat this request as unauthenticated and redirect it to the keycloak server, which checks the login and redirects again to jenkins and so on. So could you please check if your auth-server-url is reachable from inside your jenkins docker container?

Kind Regards

@Ilhicas
Copy link

Ilhicas commented Jun 21, 2018

Hello vittoN, I had this issue before as well

https://issues.jenkins-ci.org/browse/JENKINS-51549

I closed it, as per configuration, I was able to set it to work, However this doesn't work under SSL with self signed certificates, and I get the same endless loop, and I believe it to be the absence of an option to allow for no-check-certificate for example, thus entering a loop, as keycloak will always accept it, however jenkins will not give you any errors, just redirect you back to keycloak, and so on and so forth.

I've close that issue at the moment, but I believe this one should be kept open, or reopened the other in the Jira so this can be attended.

devlauer pushed a commit that referenced this issue Oct 20, 2018
If deserialization of adapter config is failure, Jenkins
becomes unavailable. Needs to be fixed manually by updating
config files.

This patch validates adapter config before saving.
@eselvam
Copy link

eselvam commented Jul 22, 2020

Hi!

I got same issue with Jenkins under kubernetes. I used nginx ingress to terminate ssl in ingress resource. It work perfectly however, if I integrate with keycloak it is throwing below error:

I hope it is a cacert issue in the jenkins but not sure how to fix it. Could some one help me here?

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
Caused: javax.net.ssl.SSLHandshakeException
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:553)
at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)
at org.jenkinsci.plugins.KeycloakSecurityRealm.doFinishLogin(KeycloakSecurityRealm.java:227)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:219)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at org.jenkinsci.plugins.RefreshFilter.doFilter(RefreshFilter.java:96)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:159)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:566)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1610)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1300)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1580)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1215)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:500)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
at java.lang.Thread.run(Thread.java:748)

troymohl pushed a commit to troymohl/jenkins-keycloak-plugin that referenced this issue Jul 31, 2020
URL encode user names. Handle user not found exceptions better
@lemzoo
Copy link

lemzoo commented Oct 16, 2020

If you still had the infinite loop when keycloak redirect to jenkins.

You should create your realm and client into keycloak before

First try to read the log in your jenkins/keycloak pod or container.
Then, if you tried Keycloak plugin in jenkins and it's not working, try openid connect authentication plugin.

Configure your jenkins as below:

Go into -> configureSecurity -> Security Realm and select Login with Openid Connect

Client ID: set your keycloak client id

Client secret: Set your keycloak client secret, which is in Credentials tabs inside Clients.

For configuration mode, choose Manual configuration

Token Server url: $KEYCLOAK-URL/auth/realms//protocol/openid-connect/token

Authorization server url : $KEYCLOAK-URL/auth/realms//protocol/openid-connect/auth

UserInfo server url: $KEYCLOAK-URL/auth/realms//protocol/openid-connect/userinfo

You can find these informations by curl $KEYCLOAK-URL/auth/realms/<your-realm>/.well-known/openid-configuration

For scopes, you can use openid email

User name field name: preferred_username

Full name field name: fullName

Email field name: email

Disable ssl verification: check the box

Apply and Save.

Try to login with jenkins, it should redirect you to keycloak and after login, Keycloak will redirect you into jenkins.

@Caesar2011
Copy link

Caesar2011 commented Nov 29, 2020

Had an infinity loop as well. In keycloak, I inserted * as valid redirect URLs.

Using the "OpenID connect authentication" plugin works like a charm. Now I can use a more specific redirect URL again.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants