'Cannot login to Keycloak with HTTPS from Windows (but can from Linux)
I have Keycloak 17.0.0 (Quarkus) running in Kubernetes. When I start the Keycloak server with HTTP (http-enabled:true; hostname-strict-https:false), I can successfully log in to the administration console from both the Windows 10 and Fedora 35 systems (tried from two computers with Windows and three with Linux). I tried both Chrome and Firefox, and the behaviour is the same.
But when I start the Keycloak server with HTTPS (certificate generated using keytool, no root certificate), then I can log in from the Fedora systems, but can't from the Windows systems.
I'm not sure if this matters, but from both the Windows and Fedora systems, I'm connecting to the Keycloak server through a corporate VPN.
When trying to log in from the Windows machines, the server returns status code 400 - this is the request URL:
https://<ip>:<port>/realms/master/login-actions/authenticate?session_code=fUdxAl_f-vYHQFGUCX07SQnWEnncBCPf8hi3t3pmmHs&execution=05d68330-cbf2-4b28-9d04-2365989934d1&client_id=security-admin-console&tab_id=eK7ABwblVp8
In Keycloak logs, I see this exception (truncated where the three dots are for brevity):
2022-03-23 14:45:41,653 WARN [org.keycloak.services] (executor-thread-6) KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: java.io.IOException: Underlying input stream returned zero bytes
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getFormParameters(BaseHttpRequest.java:61)
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getDecodedFormParameters(BaseHttpRequest.java:74)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:166)
at com.sun.proxy.$Proxy46.getDecodedFormParameters(Unknown Source)
at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:104)
at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:1002)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:321)
at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:292)
at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:276)
at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:349)
...
Caused by: java.io.IOException: Underlying input stream returned zero bytes
at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:288)
at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
at java.base/java.io.InputStreamReader.read(InputStreamReader.java:181)
at java.base/java.io.BufferedReader.fill(BufferedReader.java:161)
at java.base/java.io.BufferedReader.read1(BufferedReader.java:212)
at java.base/java.io.BufferedReader.read(BufferedReader.java:287)
at org.jboss.resteasy.plugins.providers.FormUrlEncodedProvider.parseForm(FormUrlEncodedProvider.java:88)
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getFormParameters(BaseHttpRequest.java:57)
I compared the two outgoing authentication requests (from Windows and from Fedora) in Chrome's Network tab, and they looked almost identical: small difference in accepted-language header - but only the lowest priority one, (expected) differences in session cookies.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|