Trouble Getting STIG Manager to Fully Log In

[petere2018]

Good Morning,

We are hoping to get some help with our STIG Manager deployment. We are attempting to deploy STIG Manager in a Kubernetes environment with Helm. We have our own Keycloak (FIPS mode) set up with the stigman realm per the documentation. We have given STIG Manager its own certificate and set NODE_EXTRA_CA_CERTS to a file with our root and subordinate certificate chain.

The issue occurs during the log in process. We navigate to the STIG Manager URL in the browser. The browser gets redirected to the Keycloak login for the STIG Manager deployment. We enter the credentials and they show a successful login in the Keycloak events. The web browser then redirects back to STIG Manager, however STIG Manager never opens in the browser. The web page hangs with the green check box and says "Authorizing" and "Fetching user data". We have adjusted a lot of Keycloak settings to try and get a full login but have unfortunately not been successful.

In the developer tools we see the following:

[OIDCWorker]: getAccessToken, redirecting to authorization
[OIDCWorker]: Exchange code for token …
[OIDCWorker]: Broadcasting no token
{init] Received from worker: message
Object { type: "noToken",redirect: "<Keycloak URL>/realms/stigman… , isIdle: false}

Would anyone have any advice on how to further troubleshoot this issue? Any help would be greatly appreciated. Please let me know if you would need any other information. Thank you very much.

[csmig]

In Keycloak, please check the SSO session idle timeout (Realm settings -> Sessions) and the Access token lifespan (Realm settings -> Tokens). The behavior you've described is consistent with either of these values being configured to 10 seconds or less.

If that doesn't help, then please report the STIGMAN version you're using and browser. The devtools output looks like Firefox, which is tricky to use for debugging shared workers. So might ask to use Chrome.

[petere2018]

Hello,

Here are our current settings in Keycloak:

SSO Session Idle: 30 minutes
Access token lifespan: 5 minutes

We are using STIGMAN version 1.15.13 (pulled from Ironbank). We have also tried this with 1.15.12 (both the Ironbank and Docker Hub images).
Yes we are using Firefox mainly but I can switch to Chrome. We see this behavior in Firefox, Chrome and Edge. Chrome appears to give us this portion of the output:

{init] Received from worker: message
Object { type: "noToken",redirect: "<Keycloak URL>/realms/stigman… , isIdle: false}

[csmig]

Thank you for checking the Keycloak settings. This remains consistent with an edge case where the OIDC shared worker successfully exchanges an OIDC authorization code for a token, but the token is immediately seen as expired so the worker emits the 'noToken' message. It would be helpful if the web app code produced a console message with the actual token response, but unfortunately it currently does not.

There are a few ways we could proceed, most of them involve setting breakpoints in the dev tools and inspecting the state. However, if you are willing we could try injecting the missing console.log() statement into your running container. This way the dev tools will conveniently show the token response.

You will need to know the running container's name. You're using Red Hat (see EDIT), so I'll assume you use podman. Please run this command on the system running the container:

podman exec <container-name> sed -i '515i console.log(logPrefix, "Tokens response received", tokensResponse)' /home/node/client/js/workers/oidc-worker.js

If you're using docker, replace podman with docker. I have assumed the Ironbank image for 1.5.13 is being used.

After doing this, please refresh the browser (keep using Firefox for now, it nicely displays worker console messages in the main thread's console) and provide the full console message that begins with "Tokens response received".

EDIT: Not sure why I thought you're using Red Hat, you did not say that! Hopefully this is clear nonetheless.

[petere2018]

Hello,

Yes that was clear. I was able to edit the oidc-worker.js file. Here is the console message I received. I removed the actual token/guid information as I didn't think that was necessary. Please let me know if I need to provide any other information.

[OIDCWorker]: Tokens response received 
Object { access_token: "<token>", expires_in: 300, refresh_expires_in: 1800, refresh_token: "<token>", token_type: "Bearer", id_token: "<token>", "not-before-policy": 0, session_state: "<GUID>", scope: "openid email stig-manager:user:read profile stig-manager:op stig-manager:stig:read stig-manager:user stig-manager:collection stig-manager:stig" }
​
access_token: "<token>"
​
expires_in: 300
​
id_token: "<token>"
​
"not-before-policy": 0
​
refresh_expires_in: 1800
​
refresh_token: "<token>"
​
scope: "openid email stig-manager:user:read profile stig-manager:op stig-manager:stig:read stig-manager:user stig-manager:collection stig-manager:stig"
​
session_state: "<GUID>"
​
token_type: "Bearer"

Thank you for the help with this.

[petere2018]

Unsure if this helps or is relevant but these errors show up repeating in the developer tools as the web page hangs:

[State Broadcast] Received message: 
Object { type: "state-report", data: '{"currentState":"available","since":"2025-10-13T11:33:53.977Z","dependencies":{"db":true,"oidc":true},"endpoints":{"ui":{"current":"/","next":""}}}' }
​
data: '{"currentState":"available","since":"2025-10-13T11:33:53.977Z","dependencies":{"db":true,"oidc":true},"endpoints":{"ui":{"current":"/","next":""}}}'
​
type: "state-report"
​
<prototype>: Object { … }
ApiState.js:57:12
[State Broadcast] Received message: 
Object { type: "state-error", data: {…} }
​
data: Object { message: "Cannot connect to https://<stigmanager URL>/api/op/state/sse" }
​​
message: "Cannot connect to https://<stigmanager URL>/api/op/state/sse"
​​
<prototype>: Object { … }
​
type: "state-error"
​
<prototype>: Object { … }

Thank You

[csmig]

The actual tokens (access and refresh) would be helpful so they can be provided to our unit tests and I could trace how they are being processed.

The state-error should be unrelated, but is perhaps a side-effect of the main issue.

[csmig]

Also, this issue is very likely to revolve around time. It would be helpful to know the exact time the tokens response is received. Please recreate the container and let's add a timestamp to the tokens response console message:

$ podman exec <container-name> sed -i '515i console.log(logPrefix, "Tokens response received", Date.now(), tokensResponse)' /home/node/client/js/workers/oidc-worker.js

[petere2018]

Wow, it looks like time was our issue. We didn't recognize time was not in sync on the workstations we were using. We fixed that and are now able to bring up the web console. Thank you very much for the quick and thorough responses!