Browser looping when using keycloak-js v11

[obouchta]

Describe the bug
I'm facing a strange issue.
When navigating into my http://localhost:3000/#/hom, the provider create a infinite loop. It keep looping from http://localhost:3000/#/home to the following url :
http://localhost:3000/#/home&state=30692c6b-e9e0-407a-b522-e0bdec324d66&session_state=e1ec5e6e-463c-43dc-9f7e-e7170a4f7422&code=7f5c9f74-efd2-4014-a7b6-819f06647cda.e1ec5e6e-463c-43dc-9f7e-e7170a4f7422.300185e4-3ad6-4e7d-8967-f9a4c617cad8

When using the keycloakProvider and Keycloak-js 11.0.2

To Reproduce
Steps to reproduce the behavior:

1. Install keycloak 11.0.2
2. Install js dependencies to keycloak 11.0.2 (keycloak-js v11.0.2)
3. configure your keycloak and your project as expected
4. Go to http://localhost:3000/#/ (or /home)
5. See looping behavior on the application

Expected behavior
Init the component.

Desktop (please complete the following information):

• OS: Ubuntu 20.04.1 LTS (Focal Fossa)
• Browser Chrome / Firefox
• Version Chrome 85

Additional information:
I suspect that the keycloak.init() return something not expected by the provider and that cause a new request to initialize the keycloak instance again and again.

[floweb]

I'm facing the same issue with @react-keycloak/web v2.1.4 & keycloak-js v10.0.1.

[obouchta]

I'm facing the same issue with @react-keycloak/web v2.1.4 & keycloak-js v10.0.1.

I tried to change versions of react-keycloak and/or keycloak-js but that did not change anything. So, for now I disabled the component and tried to code it until the bug is fixed.

[panz3r]

Hi @obouchta and @floweb ,

Thanks for your feedback, I tried looking into this issue but cannot seems to be able to reproduce it.

I created a new React app from scratch and integrated the latest versions of keycloak-js (v11.0.2) and @react-keycloak/web (v3.0.0-alpha.1 - which can be installed using the @next tag but does not contain any major difference from version v2.1.4), the app is then based on the react-router example code (taken from react-keycloak/examples).

I made different tests on Safari, Firefox and Edge (Chromium based) and couldn't reproduce it.

The Keycloak server version is 11.0.2 (started from the official Docker image).

Could you please provide more details about your setup?

[obouchta]

Hi @panz3r,

Thanks for investigating our issue.

I tried to use the version 3.0.0-alpha.1, but I still have the same issue. By the way, I got an error while using this version:

<project_path>/node_modules/@react-keycloak/web/lib/withKeycloak.d.ts
TypeScript error in <project_path>/node_modules/@react-keycloak/web/lib/withKeycloak.d.ts(1,13):
'=' expected.  TS1005

  > 1 | import type { KeycloakInstance } from 'keycloak-js';
      |             ^
    2 | import hoistStatics from 'hoist-non-react-statics';
    3 | import * as React from 'react';
    4 | export interface KeycloakInjectedProps {

Do you think that the issue may come from keycloak bad configuration ?
Here my configuration, can you tell if you have the same thing ?

Thank you a lot for your help.

[floweb]

That's very weird but I don't have this issue anymore, I didn't change anything but clean my node_modules ¯\_(ツ)_/¯

I'm still using @react-keycloak/web v2.1.4 & keycloak-js v10.0.1 BTW.

[panz3r]

Hi @obouchta ,

I tried to use the version 3.0.0-alpha.1, but I still have the same issue. By the way, I got an error while using this version:

<project_path>/node_modules/@react-keycloak/web/lib/withKeycloak.d.ts
TypeScript error in <project_path>/node_modules/@react-keycloak/web/lib/withKeycloak.d.ts(1,13):
'=' expected.  TS1005

  > 1 | import type { KeycloakInstance } from 'keycloak-js';
      |             ^
    2 | import hoistStatics from 'hoist-non-react-statics';
    3 | import * as React from 'react';
    4 | export interface KeycloakInjectedProps {

To fix this TS error you should upgrade typescript dependency to a version which supports import type (so version 3.8 or later - by default create-react-app TS template specifies 3.6)

Do you think that the issue may come from keycloak bad configuration ?
Here my configuration, can you tell if you have the same thing ?

I'll have a look at this as soon as possible, in the meanwhile can you try doing what @floweb suggested in his latest comment?

[obouchta]

Hi @panz3r & @floweb,

I just tried @floweb suggestion and it worked fine.

So there is what I did in details:

1. I keept keycloak container v11.0.2
2. I removed node_modules from my project.
3. I changed the keycloak-js version to v10.0.1 and kept @react-keycloak/web v2.1.4
4. I used the following command: npm install --no-cache
   --> This worked fine. I can log in and use the library as expected.

After my successful test, I removed the coockies from my browser and did again the same steps with moving the version of keyckoak-js to 11.0.2.
--> After logging in, the infinite loop start again

After returning back to keycloak-js v10.0.1 (same steps) without removing the coockies from the browser. It worked fine again.
After returning back to keycloak-js v11.0.2 (same steps) without removing the coockies from the browser. the loop start again.
After returning back to keycloak-js v10.0.1 (same steps) without removing the coockies from the browser. It worked fine.

I tested the keycloak-js v11.0.2 without react-keycloak/web and it worked great.
So, may the issue exist in the mapping between react-keycloak/web and keycloak-js v11.x.x

I'm available for further questions 😄

Thanks for your help guys.

[panz3r]

Hi @obouchta ,

Thanks for your detailed feedback, I had a look at the changes between keycloak v10.0.2 and v11.0.2 (check out the official repo here for the complete diff) and they seems mostly related to adding a check for Third-party Cookies support.

I'll investigate further to understand why this is causing issues, another thing I need to know is how did you setup the onLoad params of ReactKeycloakProvider, is it set to login-required or are you using the default value?

[floweb]

I need to know is how did you setup the onLoad params of ReactKeycloakProvider, is it set to login-required or are you using the default value?

Currently using onLoad: 'login-required', and having this issue again... 😢
I also tried to add the flow: 'implicit' that I saw on another issue without effect on the matter.

I will be testing the onLoad: 'check-sso' but I don't think that's the behaviour I want for my app.

Thank you for your time guys!

[obouchta]

Hello @panz3r

I was using the default value.

Thank you,

[panz3r]

Hi @obouchta and @floweb ,

I made some more tests and found out some new details.

I could reproduce the looping on Firefox by blocking cookies for both the app URL (e.g. http://localhost:3000) and the keycloak one (e.g. http://localhost:8080), the issue did not reproduced if the cookies where allowed on http://localhost:3000 but not allowed on http://localhost:8080.

The setup I used is:

• keycloak-js: v11.0.2
• @react-keycloak/web: v3.0.0-alpha.1
• keycloak onLoad initOption set to check-sso

For the records, this is a screenshot of the Keycloak configuration used for the test app

I also tried by using keycloak-js directly and the looping issue also happened.

At this point this issue does not seems to be strictly related to react-keycloak but more to keycloak-js itself and the way it handles Cookie errors.

I also had a look at Keycloak Issue Tracker and found out this issue KEYCLOAK-15158 - which might be related and is scheduled for release with Keycloak v12.

In the meantime I would recommend using the older v10 version of keycloak-js.

[obouchta]

Hi @panz3r ,

Thanks a lot for your investigation.

I confirm that using keycloak-js v10 is fixing my issue.

Waiting for keycloak team to fix that issue.

Thanks again.

[VerdonTrigance]

Hi guys. I faced with same issue.

The setup I used is:

keycloak-js: v10.0.1
@react-keycloak/web: v3.4.0
keycloak onLoad initOption set to login-required
keycloak server located on separate machine with url https://kc6.domain.ru/
Here is client config:

I fond some warning in browser between redirects:

When I set SameSite in chrome://flags/ it helped

But it's not solution. Could you help me figure out how to settle this?

[mrsamse]

I know this is an old ticket, but I had exactly the same problem today with the following versions:

keycloak-js: 12.0.3
@react-keycloak/web: 3.0.4

However, I noticed something very very strange:
The error only appeared when I passed my configuration directly to the keycloak instance:

const keycloak = Keycloak({
  realm: 'XXXX',
  clientId: 'XXXX',
  'auth-server-url': 'XXXX',
  'ssl-required': 'external',
  resource: 'XXXX',
  'public-client': true,
  'confidential-port': 0,
});

However, when I loaded exactly the same configuration via a JSON file, everything worked without any problems:

const keycloak = Keycloak('/keycloak.json');

Maybe this will help someone to solve the problem.

[AshishPanchalPow]

I was running into similar issue. Changing the responseMode to 'query' stopped the looping. That is less recommended, still....
"keycloak-js": "^12.0.4"
"react": "^16.8.6"

[Seaviello]

TL;DR - find option to disable preventing access for third party cookies in your browser

Longer version
We struggled a bit with the issue and let me share our result of the investigation. In general the issue is more related to browsers behaviour than to keycloak itself. It is about being able to access third party cookies by iframe. In our local development we use

• webpack-dev-server - 3.11.2
• keycloak - 8.0.2 (compatible with our server version)
• keycloak-js - we are not using, but it can probably still help you

Our temporary solution for development was to disable privacy setting for your browser. Exact steps depend on your browser, you can check for example here: https://akohubteam.medium.com/how-to-enable-third-party-cookies-on-your-browsers-f9a8143b8cc5

I hope that at least it will help with development. For production you need probably host both application and keycloak server on the same domain, so access by iframe won't fall into category of "third party cookie access".

[VerdonTrigance]

For everyone else who's still struggling - I configured my asp net core web app to receive CORS. This means you should configure both Keycloak and you application (web server) to trust cross origins.

[nicklas-delphai]

We're having the same issue:
Keycloak: 11.0.3
keycloak-js: 11.0.3
react-keycloak: 3.4.0

Affected browser versions (as identified so far):
Chrome (Apple): 88.0.4324.96, 89.0.4389.90, 89.0.4389.114

Keycloak init:

{
  "flow": "hybrid",
  "onLoad": "login-required",
  "checkLoginIframe": false
}

This issue sometimes (seemingly random) occurs only for our Chrome users on Apple. The same version on Linux for example will work as expected. I have tried reproducing the issue on linux chrome with blocking 3rd party cookies and enabling default SameSite cookies. All with no success. I'm not able to reproduce the issue on Linux.

I have already tried setting checkLoginIframe: false, with no success for our apple chrome users.

[BigBallard]

I can confirm that this is still an active issue. This issue should be reopened.

Keycloak: 11.0.2
keycloak-js: 12.0.4
react-keycloak/web: 3.4.0
Browser: Chrome (Windows 10)

keycloak init

{
  onLoad: 'login-required',
  checkLoginIframe: false.
  enableLogging: true
}

I was able to get it to work with versions 2.1.4 and 10.0.2 of react-keycloak/web and keycloak-js respectively. Reverting to these versions worked first time.

[Thretau]

I know this is an old ticket, but I had exactly the same problem today with the following versions:

keycloak-js: 12.0.3
@react-keycloak/web: 3.0.4

However, I noticed something very very strange:
The error only appeared when I passed my configuration directly to the keycloak instance:

const keycloak = Keycloak({
  realm: 'XXXX',
  clientId: 'XXXX',
  'auth-server-url': 'XXXX',
  'ssl-required': 'external',
  resource: 'XXXX',
  'public-client': true,
  'confidential-port': 0,
});

However, when I loaded exactly the same configuration via a JSON file, everything worked without any problems:

const keycloak = Keycloak('/keycloak.json');

Maybe this will help someone to solve the problem.

I encountered this same behaviour and got it to work after I removed everything from config except realm, clientId and url:

const keycloak = Keycloak({
	realm: 'realm',
	url: 'https://url',
	clientId: 'client-id'
});

Versions I used:
keycloak-js: 13.0.1
@react-keycloak/web: 3.4.0

[ivenpoker]

I know this is an old ticket, but I had exactly the same problem today with the following versions:
keycloak-js: 12.0.3
@react-keycloak/web: 3.0.4
However, I noticed something very very strange:
The error only appeared when I passed my configuration directly to the keycloak instance:

const keycloak = Keycloak({
  realm: 'XXXX',
  clientId: 'XXXX',
  'auth-server-url': 'XXXX',
  'ssl-required': 'external',
  resource: 'XXXX',
  'public-client': true,
  'confidential-port': 0,
});

However, when I loaded exactly the same configuration via a JSON file, everything worked without any problems:

const keycloak = Keycloak('/keycloak.json');

Maybe this will help someone to solve the problem.

I encountered this same behaviour and got it to work after I removed everything from config except realm, clientId and url:

const keycloak = Keycloak({
	realm: 'realm',
	url: 'https://url',
	clientId: 'client-id'
});

Versions I used:
keycloak-js: 13.0.1
@react-keycloak/web: 3.4.0

I think the issue is mainly with the auth-server-url key, in the key-value pair. I changed from auth-server-url to url and it seems to have worked.

Versions used:
"keycloak-js": "^14.0.0"
"@react-keycloak/web": "^3.4.0"

[edemen]

Why is this closed? The problem persists : (
To add to the comments above, I create a Keycloak instance with only realm, url and clientId, and Brave still keeps reloading.

[Ryuuji159]

Why is this closed? The problem persists

Searching through the keycloak issue tracker, a solution is apparently on the works on KEYCLOAK-14102

[alilishan]

Anybody has solved this issue?? I have been searching through for a long time now.
Iam using "keycloak-js": "^11.0.2" with "react": "^18.0.0" .. still when I set onLoad: 'login-required' in keycloak.init the browser keep reloading .. appreciate any help on the matter.

[edemen]

Anybody has solved this issue?? I have been searching through for a long time now. Iam using "keycloak-js": "^11.0.2" with "react": "^18.0.0" .. still when I set onLoad: 'login-required' in keycloak.init the browser keep reloading .. appreciate any help on the matter.

No, it is still broken for me in the same way : (

[alilishan]

I am trying with lates keycloak-js also. No luck still.

…

On Sun, 17 Apr 2022 at 2:34 AM, Eugene Dementiev ***@***.***> wrote: Anybody has solved this issue?? I have been searching through for a long time now. Iam using "keycloak-js": "^11.0.2" with "react": "^18.0.0" .. still when I set onLoad: 'login-required' in keycloak.init the browser keep reloading .. appreciate any help on the matter. No, it is still broken for me in the same way : ( — Reply to this email directly, view it on GitHub <#93 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABQEALDOVJVCINKIDSVY3DDVFMB2VANCNFSM4Q44U77A> . You are receiving this because you commented.Message ID: ***@***.***>

[sandrooco]

I am trying with lates keycloak-js also. No luck still.
-- Ali Lishan +*****

Be careful when answering via email - your signature is included. You probably don't want that.

Edit: I have the login loop issue too with React 18.

[alilishan]

I am trying with lates keycloak-js also. No luck still.
-- Ali Lishan +*****

Be careful when answering via email - your signature is included. You probably don't want that.

Edit: I have the login loop issue too with React 18.

Thanks :)

[Elvix10]

i am having the same issue this is my package.json
"@react-keycloak/web": "^3.4.0",
"@testing-library/jest-dom": "^5.16.4",
"@testing-library/react": "^13.1.1",
"@testing-library/user-event": "^13.5.0",
"autoprefixer": "^10.4.4",
"keycloak-js": "^18.0.0",
"postcss": "^8.4.12",
"react": "^18.0.0",
"react-dom": "^18.0.0",
"react-router-dom": "^6.3.0",
"react-scripts": "5.0.1",
"tailwindcss": "^3.0.24",
"web-vitals": "^2.1.4"

[alilishan]

For the time being I decided not to use react-keycloak and use just keycloak-js and write my own component with context and use 'check-sso' to check and redirect if needed. Hopefully they fix the issue asap.

[dreamwave]

Found a solution for the issue here when upgrading to React 18:
#182

Strict mode now causes components to render twice in development to ensure reusable state. This probably causes the component to reload for some reason.
https://reactjs.org/docs/strict-mode.html

Remove or move the StrictMode to solve infinite reloading.

[alilishan]

Found a solution for the issue here when upgrading to React 18: #182

Strict mode now causes components to render twice in development to ensure reusable state. This probably causes the component to reload for some reason. https://reactjs.org/docs/strict-mode.html

Remove or move the StrictMode to solve infinite reloading.

You are right @dreamwave .. It works when we remove the <React.StrictMode>
Though I wish to keep the strict mode on this will do for now.

Thanks again 👍

[lucasvst]

Found a solution for the issue here when upgrading to React 18: #182

Strict mode now causes components to render twice in development to ensure reusable state. This probably causes the component to reload for some reason. https://reactjs.org/docs/strict-mode.html

Remove or move the StrictMode to solve infinite reloading.

WORKS HERE!

[frle10]

Unfortunately removing strict mode does not work for me... I tried many different combinations of versions, including keycloak-js v11, v17 and v18 which is the latest. None of those work and I don't have strict mode at all in my app.

I also tried different init options in the provider, including checkLoginIframe: false, onLoad: 'login-required' / 'check-sso', and no effect.

Also, I tried using React v18.0.0 and v18.1.0. I didn't try with React 17 yet.

It feels like there is definitely something going on in this library. I see that it isn't really updated, dependencies in this repository are pretty old. Is anyone taking care of this?

EDIT: Forget about it guys, I was using some stuff with keycloak completely wrong... turns out some of these fixes do work.

[danielRicaud]

@frle10 Which specific fix solved your issue? I'm also dealing with the refresh issue on React v18.

EDIT: Issue solved! The following post describes the issue that was causing my app to reload twice and trigger this login loop, it was related to webpack-dev-server.

https://stackoverflow.com/questions/51658984/webpack-seems-to-be-reloading-my-component-twice-with-no-apparent-reason

[BigBallard]

The issue appears to be related to React.StrictMode as well. By moving the ReactKeycloakProvider.../> outside the <React.StrictMode.../> my problem was solved.

[murphye]

Removing StrictMode fixed the problem for me as well.

[weiguo-tough]

I had the same problem because my site had an initial redirect to the home page. But keycloak js checks if the user is authenticated by the url hash, so when I add the current hash to the redirect path, the problem solved
const hash = props.location.hash
history.push('/home' + hash);

[gabrielmartinez]

I had the same issue

<ReactKeycloakProvider initOptions={{ onLoad: 'login-required', checkLoginIframe: false }} authClient={keycloak} onEvent={eventLogger} onTokens={tokenLogger} // autoRefreshToken > <Wrapper ready={keycloakReady} /> </ReactKeycloakProvider>
I put checkLoginIframe: false and it's seem working

[sia72abedi]

Removing StrictMode fixed the problem for me as well.

me too. with below versions:
keycloak 19.0.0
"keycloak-js": "^19.0.1"

[AlexandreBourdeaudhui]

I had the same issue

<ReactKeycloakProvider initOptions={{ onLoad: 'login-required', checkLoginIframe: false }} authClient={keycloak} onEvent={eventLogger} onTokens={tokenLogger} // autoRefreshToken > <Wrapper ready={keycloakReady} /> </ReactKeycloakProvider> I put checkLoginIframe: false and it's seem working

Thanks, it's working for me. I had the same issue on Brave, or Firefox with privacy (strict) setting enabled.

[Rafael-Ramblas]

Still having this problem.
I've created a new app with create-react-app and installed just keycloak-js and react-keycloak/web, also followed the tutorial setting up things and the problem persists removing the react strict mode, even in firefox with no extensions nor anti-tracking rules enabled.

package-json:

{
  "name": "keycloak-test",
  "version": "0.1.0",
  "private": true,
  "dependencies": {
    "@react-keycloak/web": "^3.4.0",
    "@testing-library/jest-dom": "^5.16.5",
    "@testing-library/react": "^13.4.0",
    "@testing-library/user-event": "^13.5.0",
    "@types/jest": "^27.5.2",
    "@types/node": "^16.11.58",
    "@types/react": "^18.0.20",
    "@types/react-dom": "^18.0.6",
    "keycloak-js": "^19.0.1",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "react-scripts": "5.0.1",
    "typescript": "^4.8.3",
    "web-vitals": "^2.1.4"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": [
      "react-app",
      "react-app/jest"
    ]
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

index file:

import * as React from "react";
import ReactDOM from "react-dom";

import { ReactKeycloakProvider } from "@react-keycloak/web";

import keycloak from "./keycloak";

import "./index.css";

const eventLogger = (event: unknown, error: unknown) => {
  console.log("onKeycloakEvent", event, error);
};

const tokenLogger = (tokens: unknown) => {
  console.log("onKeycloakTokens", tokens);
};

ReactDOM.render(
  <ReactKeycloakProvider
    authClient={keycloak}
    onEvent={eventLogger}
    onTokens={tokenLogger}
    initOptions={{
      onLoad: "login-required"
    }}
  >
    aaaaaaaaaaaaa
  </ReactKeycloakProvider>,
  document.getElementById("root")
);

keycloak.ts:

import Keycloak from "keycloak-js";

// Setup Keycloak instance as needed
// Pass initialization options as required or leave blank to load from 'keycloak.json'
const keycloak = new Keycloak({
  url: "http://localhost:8080",
  realm: "myrealm",
  clientId: "myclient",
});

export default keycloak;

The flag checkLoginIframe prevents the infinite loop from happening, but fails to retain the session, so if I reload the page I have to login again. This problem only happens with the app runing in my local. When I deploy it and use the production keycloak it doesn't happen.

[BigBallard]

@Rafael-Ramblas maybe try adding back React.StrictMode but put it in the ReactKeycloakProvider?

[Rafael-Ramblas]

Nevermind folks, this was a problem with anti-tracking included in browsers and keycloak not correctly configured to send the right value of SAMESITE in auth cookies.
Thx for the help @DallasP9124

[Cruxcodes]

I had the same issue. I removed the React.Strictmode from the index.js and added the initOptions to ReactKeycloakProvider

<ReactKeycloakProvider
        authClient={keycloak}
        initOptions={{
          checkLoginIframe: false,
        }} >

[sahinmurat]

I have the same problem. React renders every 10 seconds on Brave browser. I have only "keycloak-js": "^20.0.3". I don't use keycloak/web.

I have added init part checkLoginIframe: false. The problem is solved.

- import Keycloak from "keycloak-js";
- const keycloak = new Keycloak()
- const initKeycloak = (onAuthenticated: () => void) => {
-     keycloak.init({
-         onLoad: 'login-required',
-         checkLoginIframe: false
-     }).then(authenticated => {  ... }
-     }).catch(error => console.log(error))
- }