keycloak: Health Check failure when KC_HTTP_RELATIVE_PATH set on 20.0.0

Before reporting an issue

I have searched existing issues
I have reproduced the issue with the latest release

Area

core

Describe the bug

New install of 20.0.0 (also effected 19.0.2). I originally assumed it may be related to https://github.com/keycloak/keycloak/issues/15799, but my issue is not intermittent.

I have both KC_HEATLH_ENABLED = “true” and KC_HTTP_RELATIVE_PATH = “auth” set on container Environment variables in AWS ECS Task defintion. Below is the failure I see in the logs. I have my logging at INFO level, but I can bump it up and resend as needed.

> 2022-12-14 17:42:33,735 ERROR [io.quarkus.vertx.http.runtime.QuarkusErrorHandler] (executor-thread-1) HTTP Request to /auth/health failed, error id: 7499d507-415c-42aa-930c-429a1c8bc2e0-6: java.lang.NullPointerException
>   | 2022-12-14T11:42:33.736-06:00 | at org.keycloak.services.error.KeycloakErrorHandler.getResponse(KeycloakErrorHandler.java:61)
>   | 2022-12-14T11:42:33.736-06:00 | at org.keycloak.services.error.KeycloakErrorHandler.toResponse(KeycloakErrorHandler.java:56)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.ExceptionHandler.executeExceptionMapper(ExceptionHandler.java:136)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:309)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:218)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:258)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
>   | 2022-12-14T11:42:33.736-06:00 | at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
>   | 2022-12-14T11:42:33.736-06:00 | at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
>   | 2022-12-14T11:42:33.736-06:00 | at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler$1.run(VertxRequestHandler.java:91)
>   | 2022-12-14T11:42:33.736-06:00 | at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:564)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
>   | 2022-12-14T11:42:33.736-06:00 | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
>   | 2022-12-14T11:42:33.736-06:00 | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>   | 2022-12-14T11:42:33.736-06:00 | at java.base/java.lang.Thread.run(Thread.java:829)

After removing KC_HTTP_RELATIVE_PATH = “auth” the health check works as expected.

Other KC environment setting.

KC_DB =	postgres
KC_DB_URL_DATABASE = postgres
KC_DB_URL_HOST = *.us-east-2.rds.amazonaws.com
KC_DB_URL_PORT = 5432
KC_DB_URL_PROPERTIES = ?currentSchema=auth
KC_DB_USERNAME = auth_owner
KC_HEALTH_ENABLED = true
KC_HOSTNAME = *.mydomain.com
KC_HTTP_ENABLED = false
KC_HTTP_RELATIVE_PATH = auth
KC_LOG_LEVEL = info
KC_PROXY = reencrypt
KC_DB_PASSWORD = *
KEYCLOAK_ADMIN_PASSWORD = *

Any ideas or releases I should attempt? Note this does work with 18.0.0, but release notes state 19 did some work with health checks.

Version

20.0.0

Expected behavior

/auth/health return 200 and applicaton/json

Actual behavior

/auth/health returns 500

How to Reproduce?

Attempt to hit URL */auth/health through an AWS application load balancer on a new quay.io release of keycloak (19.0.2 and 20.0.0) with KC_HTTP_RELATIVE_PATH = “auth” and KC_HEALTH_ENABLED = “true”

Anything else?

No response

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 23 (12 by maintainers)

Commits related to this issue

Support paths without a beginning slash when setting the root path Closes #16002 — committed to pedroigor/keycloak by pedroigor a year ago
Support paths without a beginning slash when setting the root path Closes #16002 — committed to keycloak/keycloak by pedroigor a year ago

Most upvoted comments

@hean0224 @evsasha I missed how the option was being set. Perhaps we should avoid this error and make sure the http-relative-path always start with /.

At the same time, we have this constraint very explicit in our docs:
--http-relative-path <path>                                                                                                                                                                   
                     Set the path relative to '/' for serving resources. The path must start with a                                                                                           
                       '/'. Default: /.
So, not sure.

I’m closing this one for now and waiting if you want to have this fixed in a separate issue as an enhancement.

This was the issue, Sorry for missing the update requiring the use of / in front of relative path.

hean0224 on Feb 1, 2023