fix(tb-dev): patch tbpro login.ftl (?no_esc) + restore clustered keycloak#8
Merged
Merged
Conversation
…loak
Two related dev-keycloak fixes:
1. Theme loginAction escaping (the real cookie_not_found / invalid_code cause).
Keycloak 26.5.7 (this image, pulled via the moving quay :26.5 tag) HTML-escapes
Freemarker output, so the tbpro theme's `formAction: '${url.loginAction}'` inside
window._page renders with '&'. The Vue login app POSTs to that URL verbatim,
so Keycloak receives 'amp;execution' (the 'execution' param is lost) and returns
400 -> the browser reports cookie_not_found / invalid_code on the cross-app OIDC
login. The stage ECS keycloak runs an older 26.5.x that did not escape, so it is
unaffected (until its next rebuild on the moving tag).
Mount a patched login.ftl (extracted from this exact image, with ?no_esc added to
the four window._page URL fields that carry query strings: loginAction,
registrationUrl, loginResetCredentialsUrl, p.loginUrl) over the baked theme via a
subPath volume. Stable-named configMapGenerator so the volume ref resolves.
The durable fix lives in thunderbird-accounts (theme ?no_esc + pin the keycloak
base image tag); this override unblocks dev validation until that image ships.
2. Restore clustered keycloak (drop the replicas: 1 override -> base replicas: 2,
Infinispan DNS_PING). The single-replica workaround was a misdiagnosis of the
above; Infinispan shares auth sessions across pods, so clustered login works once
the theme is fixed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
aatchison
added a commit
that referenced
this pull request
Jun 27, 2026
…gin.ftl (#9) PR #8 only overrode login.ftl, but EVERY flow that embeds an action URL in a window._page JS string hits the same Keycloak-26.5.7 auto-escape bug: login-update-password, login-otp, login-reset-password, login-verify-email, register, logout-confirm, select-authenticator, login-recovery-authn-code-input, login-config-totp, login-page-expired, login-username, delete-credential. A real login reaches login-update-password.ftl (UPDATE_PASSWORD required action) right after credentials, so the single-file override wasn't enough. Replace the single-file ConfigMap subPath override with a patch-login-theme initContainer: copy the baked /opt/keycloak/themes/tbpro/login dir to an emptyDir, add ?no_esc to the JS-embedded server URLs (url.*, p.loginUrl, client.baseUrl) in all *.ftl, and mount the emptyDir over the login dir. Covers every template and preserves resources/ + theme.properties. Still temporary -- dropped once the thunderbird-accounts image carries the theme fix. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause (the cross-app OIDC login failure)
The tbpro Keycloak theme embeds the login URL inside a JS string in
window._page:formAction: '${url.loginAction}',The EKS dev keycloak runs 26.5.7 (the image pins the moving
quay.io/keycloak/keycloak:26.5tag, and this image was built later than stage's). That Keycloak HTML-escapes Freemarker output, so the rendered page contains…&execution=…. The Vue login app POSTs to that URL verbatim → Keycloak receivesamp;execution(theexecutionparam is lost) → 400 → the browser surfacescookie_not_found/invalid_code.Why stage (auth-stage.tb.pro) isn't affected: the theme is identical (last changed in
fc59c21, which is the stage image), but stage's ECS image was built on an older 26.5.x that did not auto-escape. Stage will hit the same bug on its next rebuild — see the thunderbird-accounts PR for the durable fix + base-tag pinning.This PR (dev unblock)
login.ftl(extracted from this exact image, with?no_escadded to the fourwindow._pageURL fields that carry query strings:loginAction,registrationUrl,loginResetCredentialsUrl,p.loginUrl) over the baked theme via asubPathvolume. Stable-namedconfigMapGeneratorso the volume ref resolves. Temporary — drop once the thunderbird-accounts image carries the fix.replicas: 1override (back to basereplicas: 2, Infinispan DNS_PING). The single-replica workaround was a misdiagnosis of the above; Infinispan shares auth sessions across pods, so clustered login works once the theme is fixed.Verification
kubectl kustomize overlays/tb-devclean; rendersreplicas: 2, the override ConfigMap with?no_esc, and the subPath mount at/opt/keycloak/themes/tbpro/login/login.ftl.accounts-tb-dev.tail2726a2.ts.net→ no&in the POST → completes (the #599 validation).Part of the thunderbird-accounts→EKS bring-up (#599).
🤖 Generated with Claude Code