Too many redirects - Keycloak Authentication

rajiv.abraham · June 12, 2019, 7:56pm

Hi,
I’m trying to integrate keycloak following the documentation here.
The error I get is ERR_TOO_MANY_REDIRECTS on Chrome. Could anyone help me figure out what is wrong?
(As a first time user, I can’t post links, so I’ve tried to obfuscate it a bit )

My config.yaml file.

hub:
  extraEnv:
    OAUTH2_AUTHORIZE_URL: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/auth
    OAUTH2_TOKEN_URL: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/token
    OAUTH_CALLBACK_URL: my-notebook-site/hub/oauth_callback
  auth:
    type: custom
    custom:
      className: oauthenticator.generic.GenericOAuthenticator
      config:
        login_service: "keycloak"
        client_id: "jupyterhub"
        client_secret: "mysecret"
        token_url: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/token
        userdata_url: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/userinfo
        userdata_method: GET
        userdata_params: {'state': 'state'}
        username_key: preferred_username

My URL which fails

my-notebook-site/hub/oauth_login?response_type=code&redirect_uri=https%3A%2F%2Fnotebook.15rock.com%2Fhub%2Foauth_callback&client_id=jupyterhub&state=abcd

My Keycloak setting:

client id: jupyterhub
Valid Redirect URIs: my-notebook-site/hub/oauth_callback

kkapper · June 17, 2019, 5:29pm

I ran into this issue for a little while using our own custom oauth service but I think the solution will likely be the same.

The issue for me was that the callback URI needed to be set in both locations. I am not positive on Keycloak, but you probably need to not only authorize that callback URI as a valid redirect URI (which I see that you have done), but also configure the specific application (the one where you generated your secret keys from) in Keycloak to actually use the callback URI.

I suspect more configuration on the Keycloak end of things is your ticket here.

Additionally, the POST body of authenticate in the generic authenticator omits the client_id and client_secret values by default. (They are not passed in just because you set them in your auth.custom.config.client_secret/id.) To get these values in your POST body you will also need to add the following:

auth:
  custom:
    config:
      extra_params:
        client_id : 'ID'
        client_secret: 'SECRET'

rajiv.abraham · June 20, 2019, 12:50am

I got it to work. I think the issue is on the jupyterhub side where it is not recognizing the environment variable. Pleas see my comment here and the solution just below

Topic		Replies	Views
HTTP 403: Ip Forbidden error when authenticating against Keycloak server Zero to JupyterHub on Kubernetes help-wanted	1	1304	February 2, 2021
Keycloak identity management: 500 : Internal Server Error Zero to JupyterHub on Kubernetes	8	8244	December 24, 2021
How to use keycloak to sign into JupyterHub? Zero to JupyterHub on Kubernetes help-wanted	1	4329	February 7, 2021
Jupyter redirect uri error with Keycloak repo help help-wanted	0	868	November 23, 2020
Redirect error when spawning notebook in Kubernetes Zero to JupyterHub on Kubernetes	1	625	June 24, 2020

Too many redirects - Keycloak Authentication

Related Topics