Skip to content

fix(tb-dev): patch tbpro login.ftl (?no_esc) + restore clustered keycloak#8

Merged
aatchison merged 1 commit into
mainfrom
fix/dev-keycloak-theme-loginaction-noesc
Jun 27, 2026
Merged

fix(tb-dev): patch tbpro login.ftl (?no_esc) + restore clustered keycloak#8
aatchison merged 1 commit into
mainfrom
fix/dev-keycloak-theme-loginaction-noesc

Conversation

@aatchison

Copy link
Copy Markdown
Contributor

Root cause (the cross-app OIDC login failure)

The tbpro Keycloak theme embeds the login URL inside a JS string in window._page:

formAction: '${url.loginAction}',

The EKS dev keycloak runs 26.5.7 (the image pins the moving quay.io/keycloak/keycloak:26.5 tag, and this image was built later than stage's). That Keycloak HTML-escapes Freemarker output, so the rendered page contains …&execution=…. The Vue login app POSTs to that URL verbatim → Keycloak receives amp;execution (the execution param is lost) → 400 → the browser surfaces cookie_not_found / invalid_code.

Why stage (auth-stage.tb.pro) isn't affected: the theme is identical (last changed in fc59c21, which is the stage image), but stage's ECS image was built on an older 26.5.x that did not auto-escape. Stage will hit the same bug on its next rebuild — see the thunderbird-accounts PR for the durable fix + base-tag pinning.

This PR (dev unblock)

  1. Theme override — mount a login.ftl (extracted from this exact image, with ?no_esc added to the four window._page URL fields that carry query strings: loginAction, registrationUrl, loginResetCredentialsUrl, p.loginUrl) over the baked theme via a subPath volume. Stable-named configMapGenerator so the volume ref resolves. Temporary — drop once the thunderbird-accounts image carries the fix.
  2. Restore clustered keycloak — drop the replicas: 1 override (back to base replicas: 2, Infinispan DNS_PING). The single-replica workaround was a misdiagnosis of the above; Infinispan shares auth sessions across pods, so clustered login works once the theme is fixed.

Verification

  • kubectl kustomize overlays/tb-dev clean; renders replicas: 2, the override ConfigMap with ?no_esc, and the subPath mount at /opt/keycloak/themes/tbpro/login/login.ftl.
  • Post-deploy: browser login round-trip on accounts-tb-dev.tail2726a2.ts.net → no & in the POST → completes (the #599 validation).

Part of the thunderbird-accounts→EKS bring-up (#599).

🤖 Generated with Claude Code

…loak

Two related dev-keycloak fixes:

1. Theme loginAction escaping (the real cookie_not_found / invalid_code cause).
   Keycloak 26.5.7 (this image, pulled via the moving quay :26.5 tag) HTML-escapes
   Freemarker output, so the tbpro theme's `formAction: '${url.loginAction}'` inside
   window._page renders with '&'. The Vue login app POSTs to that URL verbatim,
   so Keycloak receives 'amp;execution' (the 'execution' param is lost) and returns
   400 -> the browser reports cookie_not_found / invalid_code on the cross-app OIDC
   login. The stage ECS keycloak runs an older 26.5.x that did not escape, so it is
   unaffected (until its next rebuild on the moving tag).

   Mount a patched login.ftl (extracted from this exact image, with ?no_esc added to
   the four window._page URL fields that carry query strings: loginAction,
   registrationUrl, loginResetCredentialsUrl, p.loginUrl) over the baked theme via a
   subPath volume. Stable-named configMapGenerator so the volume ref resolves.

   The durable fix lives in thunderbird-accounts (theme ?no_esc + pin the keycloak
   base image tag); this override unblocks dev validation until that image ships.

2. Restore clustered keycloak (drop the replicas: 1 override -> base replicas: 2,
   Infinispan DNS_PING). The single-replica workaround was a misdiagnosis of the
   above; Infinispan shares auth sessions across pods, so clustered login works once
   the theme is fixed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aatchison aatchison merged commit b2e60d8 into main Jun 27, 2026
1 check passed
@aatchison aatchison deleted the fix/dev-keycloak-theme-loginaction-noesc branch June 27, 2026 20:47
aatchison added a commit that referenced this pull request Jun 27, 2026
…gin.ftl (#9)

PR #8 only overrode login.ftl, but EVERY flow that embeds an action URL in a
window._page JS string hits the same Keycloak-26.5.7 auto-escape bug:
login-update-password, login-otp, login-reset-password, login-verify-email,
register, logout-confirm, select-authenticator, login-recovery-authn-code-input,
login-config-totp, login-page-expired, login-username, delete-credential. A real
login reaches login-update-password.ftl (UPDATE_PASSWORD required action) right
after credentials, so the single-file override wasn't enough.

Replace the single-file ConfigMap subPath override with a patch-login-theme
initContainer: copy the baked /opt/keycloak/themes/tbpro/login dir to an emptyDir,
add ?no_esc to the JS-embedded server URLs (url.*, p.loginUrl, client.baseUrl) in
all *.ftl, and mount the emptyDir over the login dir. Covers every template and
preserves resources/ + theme.properties. Still temporary -- dropped once the
thunderbird-accounts image carries the theme fix.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant