2

I am working on a project with SpringBoot framework at backend and Angular8 at frontend. The connection between front and back is made with an nginx proxy server. I wanted to integrated with Keycloak and I used keycloak-angular v.6.1.0 library (https://www.npmjs.com/package/keycloak-angular) and keycloak-js v.9.0.3 (https://www.npmjs.com/package/keycloak-js) and at first sight seemed to be working smoothly. Concretely, the login page shows up, I provide the credentials, login succeeds and keycloak sends back the token which is used as an authorization bearer token for the requests that are sent to backend.

The problem that I am facing is that these requests usually succeed, but sometimes they don't, giving a 401 Unauthorized code. When I monitor these failed requests, I check the validity of the bearer token with jwt(https://jwt.io/) and it is always valid, and then I double-check with curl and the request succeeds and I get the expected results.

app.module.ts

export function initializer(keycloak: KeycloakService) {
  return async () => {
    const authenticated = await keycloak.init({
      config: environment.keycloakConfig
    });

    if (!authenticated) {
      console.log("Not authenticated")

      await keycloak.login({ scope: environment.scope });

      return authService.loadSecurityInfo(true)
        .pipe(
          map(securityInfo => {
            ....
          })
        ).toPromise();
    } else {
      console.log("Authenticated!")

      return authService.loadSecurityInfo(true)
        .pipe(
          map(securityInfo => {
            ...
          })
        ).toPromise();
    }
  };
}

I provide the code with the keycloak initializer and keycloak login. The loadSecurityInfo function just performs the get request in the respective endpoint at the backend.

LoadSecurityInfo

return this.http
  .get<any>(AuthService.URL.SECURITY_INFO, { headers: HttpUtils.getDefaultHttpHeaders() })
  .pipe(
    map(body => {
      ...
    })
  );

I was wondering if someone faces the same or similar problem and could give me some insights about what is maybe wrong. Thanks in advance! :D

MrCodingB
  • 2,284
  • 1
  • 9
  • 22
stav
  • 21
  • 4
  • When you say they sometimes fail, are those the `POST` requests? Are the same requests failing all the time or for example they stop working after some time? What's the pattern? Is your BE and FE on the same domain or are you making CORS requests? – eko May 14 '21 at 09:20
  • Does it happen with same user or different users? And just out of curiosity, do you also get CORS error? – mat.hudak May 14 '21 at 10:16
  • @eko Hey, the requests that fail are GET requests and they stop working after some time with code 401 but in a later call or refresh couple of times, they work. The main struggle of mine; I am trying to detect a more concrete pattern but it seems a bit random. No, they are not on the same domain, I am making the requests via nginx sever. Sorry, if I omit some things from my description, I am pretty rookie with the angular -keycloak stuff. Maybe a usual pattern is that after I left idle for couple of secs the tab and get back to it, it is highly possible the request will give me 401. – stav May 14 '21 at 10:19
  • Hmm so the token is not refreshed perhaps? But you're saying if you try the failed request via curl it works, right? – eko May 14 '21 at 10:24
  • @dallows I haven't really tried with another user, but I will try it and get back to you . No, I don't get CORS error, I used to but I think the use of proxy server solved it. – stav May 14 '21 at 10:32
  • @eko It could be the case, but by checking the time the access token was issued, it has not expired, yet the request fails. I also tried to wait for 5 mins (Access token lifespan) and then click a button to make a GET request and then (I checked via network tab) a successful POST request was made to keycloak for token and refreshed the token and also my GET request succeed. But in another attempt it may fail, this is the randomness I talked about earlier. Yes it works with curl. – stav May 14 '21 at 11:13
  • @stav: I'm asking about the CORS because Keycloak has known issue where one of the responses is missing the CORS header and it causes various issues. It happens when user has account `roles` missing but I reckon it does not apply in your case. – mat.hudak May 14 '21 at 11:15
  • @dallows if i change versions , keycloak-angular v7.2.0 and keycloak-js v9.0.0 which are the versions that are suggested for angular8, then I get Cross-Origin Request Blocked (Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’) – stav May 17 '21 at 10:04

0 Answers0