Login Loop & 401 Unauthorized API Error after Keycloak Authentication (Docker Compose Setup)

[Startrek666]

Hi,I'm currently setting up Galaxy-KC using the Docker Compose method as described in the galaxy-kc repository. I've successfully deployed the Docker containers and configured Nginx as a reverse proxy with Let's Encrypt SSL certificates for both Galaxy (schedule.mydomain.xyz) and Keycloak (id.mydomain.xyz).

I've also configured Keycloak (running separately via Docker Compose) with a realm (ucs) and a confidential client (galaxy) with the correct redirect URIs (https://schedule.mydomain.xyz/oidc/validate and https://schedule.mydomain.xyz/*).

The Issue:
When I access my Galaxy instance at https://schedule.mydomain.xyz, I am correctly redirected to the Keycloak login page (https://id.mydomain.xyz/realms/ucs/...). I can successfully authenticate (register new user & login) on the Keycloak page.
After successful authentication, Keycloak redirects back to Galaxy (https://schedule.mydomain.xyz/oidc/validate?session_state=...&code=...). However, immediately after this redirect, the Galaxy UI seems to lose the authenticated state and redirects me back to the Galaxy welcome/login page (https://schedule.mydomain.xyz/). Clicking "Sign In" again just repeats the loop.

Debugging Information:
Browser Network Tools: When the loop occurs, I can see a POST request to https://schedule.mydomain.xyz/api/pri/hello fails with a 401 Unauthorized status code.
Looking at the Request Headers for this failed POST request, there is no Authorization: Bearer header.
There is a Cookie header present, but the value for the token= cookie appears to be empty (e.g., Cookie: token=).
Docker Container Logs (docker compose logs ...):
The logs for galaxy-api-adm, galaxy-api-pri, and galaxy-api-pub only show basic "Listening on port..." messages after startup and some "housekeeping" messages from galaxy-api-adm.
They do not show any errors or detailed information related to handling the OIDC callback (/oidc/validate) or processing the /api/pri/hello request.

Environment:
Galaxy-KC installed via Docker Compose on Debian 12.
Keycloak (latest image) running via Docker Compose on the same host.
Nginx (host installed) acting as reverse proxy with valid Let's Encrypt certificates.

Thank you for your time and help with this great project!

[Startrek666]

This is the content in the.env configuration file：

ALLOW_UNSECURE_CERT=1

# Secret for API
# Update this value for your deployment
API_SECRET=c135632bf9d65a2ed9f81daa78e21ebc430e7a90

# Timeout for API session
API_TIMEOUT=86400

# Postgresql host address
DB_HOST=galaxy-db

# Postgresql password
# Update this value for your deployment
DB_PASSWD=1f8b3234228ac120bffd0cc1640deb14334a7455

# FQDN for this setup
GALAXY_FQDN=schedule.xxx.xyz

# Keycloak client ID
KEYCLOAK_CLIENT_ID=galaxy

# Keycloak address
KEYCLOAK_ORIGIN=https://id.xxx.xyz

# Keycloak realm
KEYCLOAK_REALM=ucs
KEYCLOAK_CLIENT_SECRET=73***O
# Mailer settings
# See https://nodemailer.com/smtp for details
MAILER_HOST="smtp.qq.com"
MAILER_PORT=465
MAILER_SECURE=true
MAILER_USER="***@qq.com"
MAILER_PASS="***"
MAILER_FROM="Galaxy Scheduler <***@qq.com>"

# Contact info
CONTACT_EMAIL="***@qq.com"

This is the Nginx configuration for Galaxy:

server {
    if ($host = schedule.xxx.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name schedule.xxx.xyz;

    location ~ /.well-known/acme-challenge/ {
        allow all;
        root /var/www/html; 
    }

}

server {
    listen 443 ssl http2; 
    server_name schedule.xxx.xyz;
    ssl_certificate /etc/letsencrypt/live/schedule.xxx.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/schedule.xxx.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; 
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


    client_max_body_size 100M; 

    location / {
        proxy_pass http://127.0.0.1:8088; 
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   
        proxy_set_header X-Forwarded-Proto https; 
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port 443; # 告诉下游原始端口是 443
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}

[emrahcom]

Hi @Startrek666, why is there KEYCLOAK_CLIENT_SECRET in .env?

Access Type should be public for Keycloak's client.
Or client authentication should be off if this Keycloak is 20.x or newer.

[Startrek666]

Thank you very much! I solved this problem after turning off the Client Authentication.🎉

[emrahcom]

https://github.com/nordeck/jitsi-keycloak-adapter-v2?tab=readme-ov-file#3-keycloak-configuration

This is a similar config. Instead of "JItsi URL" in this guide, use your Galaxy URL.

[Startrek666]

OK, I have already understood this management mechanism. Then how can I delete those two public Jitsi servers? Because I want to keep the website I built private, and only some users are allowed to create meetings.

[emrahcom]

There is no option on UI to do this. You can only disable (or delete) these public domains in database shell:

• Attach the postgres container:

docker exec -it galaxy-kc-galaxy-db-1 /bin/bash

• Open the postgres shell:

psql -U galaxy

• List the public domains

select * from domain where public;

• Disable the public domains:

update domain set enabled = false where public;

• Check the domain list on UI

• ctrl + d until you are out of the container

[Startrek666]

Thank you again for your help!

[Startrek666]

Hi,after logging in and joining a Jitsi meeting room using the link generated by Galaxy,I'm finding that several moderator-specific buttons are missing from the Jitsi Meet interface. Features like Whiteboard,Subtitles are not available/visible.（using JWT Authentication）
How can i solve this problem?Thank you.

[Startrek666]

This question has little to do with this post, so I have already started a new discussion.