Too many redirects

John_Poirier · December 2, 2020, 8:23pm

I have a single machine that is running three docker images: nginx reverse proxy, keycloak, and shinyproxy.

When I navigate to shiny.mydomain.org, it redirects to https://shiny.mydomain.com/auth and I reach the login page. If I enter an incorrect password, the incorrect password error is displayed. If I enter a correct password, I get sent back to shinyproxy and get an ERR_TOO_MANY_REDIRECTS error. I have added the recommended forwarding environment variable to Keycloak, verified that it’s set, and set forward-headers-strategy: NATIVE for shinyproxy.

This seems to be a common problem that users have, but I have not found anything posted that actually solves the issues. Does anyone actually have this working that can share a configuration that functions?

tdekoninck · December 8, 2020, 2:15pm

Hi

This problem is typically caused because ShinyProxy isn’t able to verify the token provided by Keycloak. This can have multiple reasons:

ShinyProxy cannot reach Keycloak, e.g. because the hostname is wrong, the network access is blocked, wrong port number etc
ShinyProxy isn’t allowed to verify the token by keycloak, e.g. because the client-secret is wrong. If this it the case, you should see a message about this in the keycloak logs.

John_Poirier · February 1, 2021, 7:26pm

Solved.

tdekoninck was correct that the token could not be read due to being behind an HTTPS reverse proxy. I’m not sure that this was the right way to solve it, but loading the SSL keys into the shinyproxy truststore worked using the following java arguments:

-Djavax.net.ssl.trustStore=/opt/shinyproxy/shiny.jks -Djavax.net.ssl.trustStorePassword=mypassword

I’m not sure that this is the “right” way to solve this redirect problem, but it did work. Please let me know if this is brute forcing a problem with a more elegant solution.

tdekoninck · February 25, 2021, 3:54pm

Hi @John_Poirier

If that server is using TLS certs that are by default not trusted (e.g. self-signed, corporate CA… ) it’s perfectly ok to use a separate truststore with the CA in it. This is a secure way.
Note that (unfortunately) this issue could also happen when using Let’s encrypt (especially with Java projects).