Bug : Setup for development environment causes re-login every 5 seconds.

[Yuutakasan]

After following the URL below, the keycloak server now tries to re-login once every 5 seconds just by accessing it.
This is a lot of development work, so I'm working around it by setting the login retry to 86,400 seconds (it takes about 30 seconds to re-login). What can I do to solve the underlying problem?

https://www.apicur.io/studio/docs/setting-up-a-development-environment

[mikisou]

Here is the video recorded in this situation:

zoom_1.mp4

[EricWittmann]

That's not good. I think we need more information.

• What OS and browser are you using? Can you try other browser(s)?
• What is the output to the browser JS console? There may be some useful information there.
• Is there any useful output on the ng start console when this happens?

[Yuutakasan]

@mikisou 追加で情報もらえませんか？

[mikisou]

@EricWittmann
Thanks.

This is my environment:
OS: MacOS Catalina / Chrome 87.0.4280.88（Official Build）
Firefox 84.0.1 : Not reproduced this bug
Safari 13.1.3 : Reproduced this bug

There are some issues reported on the Chrome's console about SameSite attribute for a cookie.
It seemed no useful output on the console for the front-end application.

[EricWittmann]

OK so it sounds like this is specific to Safari browser - is that right? I don't have a Mac so I can't test this myself.

@Apicurio/developers - does anyone have a Mac and can try to reproduce this?

[turutosiya]

@EricWittmann I guess this problem comes from Chrome's change of its default behaviour.

As of version 80, Chrome treats Cookie SameSite=Lax by default.
https://web.dev/samesite-cookies-explained/

As you can see in the following capture, Since SameSite attribute is not specified in KEYCLOAK_SESSION so SameSite=Lax is applied by default, which means that the cookie can not be read in iframe.

So, Keycloak fails to get KEYCLOAK_SESSION value in cookie.
https://github.com/keycloak/keycloak/blob/3.4.3.Final/adapters/oidc/js/src/main/resources/login-status-iframe.html#L71

As a result, changed message is sent to the main window.
https://github.com/keycloak/keycloak/blob/3.4.3.Final/adapters/oidc/js/src/main/resources/login-status-iframe.html#L27

Then, it falls into logout process in the main window.
https://github.com/keycloak/keycloak/blob/3.4.3.Final/adapters/oidc/js/src/main/resources/keycloak.js#L863

Anyway, It's all happens in Keycloak...

[EricWittmann]

I wonder if this would be resolved simply by upgrading the keycloak.js being used to a newer version. Could you try grabbing a more recent version of that from here:

https://www.npmjs.com/package/keycloak-js

I think the newer versions should work despite the older version of Keycloak we've got running in the cloud.

[turutosiya]

Since login-status-iframe.html is hosted on https://studio-auth.apicur.io/ , I think replacing only keycloak.js will not work.

It's required to upgrade Keycloak on the server to 8.0.2 or later.

Would you please check:
https://www.keycloak.org/2020/02/keycloak-802-released.html

[EricWittmann]

Thanks for figuring this all out - much appreciated. I'll see what I can do about upgrading the auth server.

[Yuutakasan]

@EricWittmann
Do you know if the problem occurs if you use keyckloak 8.0.2 or later?
https://github.com/Apicurio/apicurio-studio/blob/master/distro/docker-compose/keycloak/Dockerfile

[EricWittmann]

Darn I lost track of this activity. I don't think there is any reason to expect a new version of Keycloak to be a problem for us. We'll just have to test it!

[Yuutakasan]

@EricWittmann
I tested it with keykloak 12.0.4 and it seems to be working well so far.

[EricWittmann]

I'll need to find time to upgrade studio.apicur.io's auth to KC 12. Thanks for the update.