Troubleshooting

Issues with Keycloak Communication#

For internal Keycloak instances, or external Keycloak service running on the same Docker host, the trustcenter service containers might face difficulties when connecting to the Keycloak instance (defined in KEYCLOAK_SERVER_NAME).

Issue #1: Firewall settings#

Make sure not to block the entici service containers from connecting to the Docker host by the firewall. For Ubuntu UFW, this can be prevented by:

# [Setup I] Assuming: KEYCLOAK_SERVER_TYPE=Internal, SERVER_PORT=443
# Open HTTPS port 443
sudo ufw allow 443
# [Setup II] Assuming: KEYCLOAK_SERVER_TYPE=External, Keycloak on Docker host on port: 8443 
# Open HTTPS port 8443
sudo ufw allow 8443

Note that Docker-based published ports are bypassing the firewall policies anyhow on Ubuntu systems by default for external requests [August 2021].

Issue #2: DNS entries#

Make sure that the host of KEYCLOAK_SERVER_NAME does not resolve to a localhost address.

For instance, your host with the hostname entici.medic.it with internal Keycloak configuration should not resolve its hostname locally to an address from range 127.0.0.0/24 (e.g. 127.0.0.1). (Test it with host entici.medic.it on the Docker host.)
Check your hosts configuration in /etc/hosts otherwise.

Issues with Keycloak Configuration#

The following table contains known configuration problems.

Issue #1:#

• Problem: Invalid parameter: redirect_uri
• Reason: Incorrect configuration of the “Valid Redirect URIs” option of the entitylist-webapp client in Keycloak.
• Solution: Valid Redirect URIs= http(s)://host(:port)/*

Issue #2#

• Problem: Access to XMLHttpRequest at ‘http(s)://host(:port)/auth/realms/trustcenter/protocol/openid-connect/token’ from origin ‘http(s)://host(:port)’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
• Reason: Incorrect configuration of the “Web Origins” option of the entitylist-webapp client in Keycloak.
• Solution: Web Origins= http(s)://host(:port)