Infinite Loop when redirect after login

[vittoN]

Hi, i am trying to use jenkins plugin for keycloak but facing with the following problem. When i try to login from jenkins it correctly redirect me to the keycloak login page but when i insert credentials i get an endless redirect between jenkins and keycloak.

This is what i get from log:

jenkins-new    | Jun 12, 2018 2:04:27 PM hudson.security.csrf.CrumbFilter doFilter
jenkins-new    | WARNING: No valid crumb was included in request for /auth/realms/demo/protocol/openid-connect/token. Returning 403.
jenkins-new    | Jun 12, 2018 2:04:27 PM org.jenkinsci.plugins.KeycloakSecurityRealm doFinishLogin
jenkins-new    | SEVERE: Authentication Exception 
jenkins-new    | org.keycloak.adapters.ServerRequest$HttpFailure
jenkins-new    | 	at org.keycloak.adapters.ServerRequest.error(ServerRequest.java:288)
jenkins-new    | 	at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:115)
jenkins-new    | 	at org.jenkinsci.plugins.KeycloakSecurityRealm.doFinishLogin(KeycloakSecurityRealm.java:226)
jenkins-new    | 	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
jenkins-new    | 	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
jenkins-new    | 	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
jenkins-new    | 	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
jenkins-new    | 	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
jenkins-new    | 	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
jenkins-new    | 	at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209)
jenkins-new    | 	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
jenkins-new    | 	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
jenkins-new    | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
jenkins-new    | 	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
jenkins-new    | 	at org.jenkinsci.plugins.RefreshFilter.doFilter(RefreshFilter.java:96)
jenkins-new    | 	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
jenkins-new    | 	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:86)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
jenkins-new    | 	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
jenkins-new    | 	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
jenkins-new    | 	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
jenkins-new    | 	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
jenkins-new    | 	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
jenkins-new    | 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
jenkins-new    | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
jenkins-new    | 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
jenkins-new    | 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
jenkins-new    | 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
jenkins-new    | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
jenkins-new    | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
jenkins-new    | 	at org.eclipse.jetty.server.Server.handle(Server.java:564)
jenkins-new    | 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317)
jenkins-new    | 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
jenkins-new    | 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
jenkins-new    | 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
jenkins-new    | 	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
jenkins-new    | 	at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128)
jenkins-new    | 	at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222)
jenkins-new    | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294)
jenkins-new    | 	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199)
jenkins-new    | 	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
jenkins-new    | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
jenkins-new    | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
jenkins-new    | 	at java.lang.Thread.run(Thread.java:748)
jenkins-new    | 
jenkins-new    | Jun 12, 2018 2:04:27 PM org.jenkinsci.plugins.KeycloakSecurityRealm doFinishLogin
jenkins-new    | SEVERE: Failure Message<html>
jenkins-new    | <head>
jenkins-new    | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
jenkins-new    | <title>Error 403 No valid crumb was included in the request</title>
jenkins-new    | </head>
jenkins-new    | <body><h2>HTTP ERROR 403</h2>
jenkins-new    | <p>Problem accessing /auth/realms/demo/protocol/openid-connect/token. Reason:
jenkins-new    | <pre>    No valid crumb was included in the request</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>
jenkins-new    | 
jenkins-new    | </body>
jenkins-new    | </html>
jenkins-new    | 
jenkins-new    | Jun 12, 2018 2:04:27 PM org.jenkinsci.plugins.KeycloakSecurityRealm doFinishLogin
jenkins-new    | SEVERE: Failure HTTP Status403

This is my docker-compose:

jenkins-new:
  image: jenkins/jenkins:2.73.3
  container_name: jenkins-new
  networks:
    app_net:
      ipv4_address: 172.20.0.49
  #restart: always
  ports:
    - "8086:8080"

Here my configuration of keycloak client:

Screenshoot of http reqests:

Thanks in advance.

[devlauer]

Hi vittoN,

this project is now part of the official jenkins community and moved to https://github.com/jenkinsci/keycloak-plugin . It is also part of the official plugin repository / update site jenkins-ci.org where you can get the current release of this plugin (for more information have a look at the official wiki page (https://wiki.jenkins.io/display/JENKINS/keycloak-plugin)).

The version hosted on my private update-site as described on the readme.md is quite old and contains an error which can lead to an infinite loop if you use an keycloak server version newer than 3.0.0.Final. This error was fixed in Version 2.0.3 (https://github.com/jenkinsci/keycloak-plugin/blob/master/Changelog.md). The current version of this plugin is 2.2.0. Which plugin version do you use?

The other possible reason for your infinite loop could be an error in your docker configuration. For the processing of each authentication request this plugin needs to communicate to your keycloak server for token validation and user information retrieval. Therefore this plugin uses the auth-server-url of your keycloak json configuration. If this URL can not be resolved/accessed from inside your jenkins docker container, this plugin will treat this request as unauthenticated and redirect it to the keycloak server, which checks the login and redirects again to jenkins and so on. So could you please check if your auth-server-url is reachable from inside your jenkins docker container?

Kind Regards

[Ilhicas]

Hello vittoN, I had this issue before as well

https://issues.jenkins-ci.org/browse/JENKINS-51549

I closed it, as per configuration, I was able to set it to work, However this doesn't work under SSL with self signed certificates, and I get the same endless loop, and I believe it to be the absence of an option to allow for no-check-certificate for example, thus entering a loop, as keycloak will always accept it, however jenkins will not give you any errors, just redirect you back to keycloak, and so on and so forth.

I've close that issue at the moment, but I believe this one should be kept open, or reopened the other in the Jira so this can be attended.

[eselvam]

Hi!

I got same issue with Jenkins under kubernetes. I used nginx ingress to terminate ssl in ingress resource. It work perfectly however, if I integrate with keycloak it is throwing below error:

I hope it is a cacert issue in the jenkins but not sure how to fix it. Could some one help me here?

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
Caused: javax.net.ssl.SSLHandshakeException
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:553)
at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)
at org.jenkinsci.plugins.KeycloakSecurityRealm.doFinishLogin(KeycloakSecurityRealm.java:227)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:219)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at org.jenkinsci.plugins.RefreshFilter.doFilter(RefreshFilter.java:96)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:76)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:159)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:36)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:566)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1610)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1300)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1580)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1215)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:500)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
at java.lang.Thread.run(Thread.java:748)

[lemzoo]

If you still had the infinite loop when keycloak redirect to jenkins.

You should create your realm and client into keycloak before

First try to read the log in your jenkins/keycloak pod or container.
Then, if you tried Keycloak plugin in jenkins and it's not working, try openid connect authentication plugin.

Configure your jenkins as below:

Go into -> configureSecurity -> Security Realm and select Login with Openid Connect

Client ID: set your keycloak client id

Client secret: Set your keycloak client secret, which is in Credentials tabs inside Clients.

For configuration mode, choose Manual configuration

Token Server url: $KEYCLOAK-URL/auth/realms//protocol/openid-connect/token

Authorization server url : $KEYCLOAK-URL/auth/realms//protocol/openid-connect/auth

UserInfo server url: $KEYCLOAK-URL/auth/realms//protocol/openid-connect/userinfo

You can find these informations by curl $KEYCLOAK-URL/auth/realms/<your-realm>/.well-known/openid-configuration

For scopes, you can use openid email

User name field name: preferred_username

Full name field name: fullName

Email field name: email

Disable ssl verification: check the box

Apply and Save.

Try to login with jenkins, it should redirect you to keycloak and after login, Keycloak will redirect you into jenkins.

[Caesar2011]

Had an infinity loop as well. In keycloak, I inserted * as valid redirect URLs.

Using the "OpenID connect authentication" plugin works like a charm. Now I can use a more specific redirect URL again.