edoc Knowledge Base
edoc Knowledge Base
Breadcrumbs

How do I clean up a faulty content security policy in Keycloak?

Component

Keycloak

Version

15

Created on

Last modified on

An error occurredFailed to render Workflows Metadata macro on page 2164392146 during export. If this problem continues, please contact our Customer Support Team for assistance.

Review status

An error occurredFailed to render Workflows Metadata macro on page 2164392146 during export. If this problem continues, please contact our Customer Support Team for assistance.

KB article number

1279098887

Summary

You have configured Keycloak so that other websites can integrate Keycloak (Content Security Policy, CSP) and something has gone wrong.

The website simply remains white and the browser console displays the following information, for example:

The source list for the Content Security Policy directive 'frame-src' contains an invalid source

Refused to frame <frame url> because it violates the following Content Security Policy directive: <directive>

Important requirements

  • Administrative Keycloak user

  • SSH user with access to MicroK8s

  • Basic understanding of Kubernetes

  • Basic understanding of MySQL databases

Solution

If the Content Security Policy (CSP) is configured incorrectly, the invalid value is also applied to the Keycloak administration interface. You can therefore no longer correct this invalid value via the interface.

You can only rectify the faulty configuration via the Keycloak database.

Deploy the Keycloak MySQL database in phpMyAdmin and change the value.

Here's how

  1. Log in to the affected server via SSH.

  2. Edit the deployment of phpMyAdmin. Add the service keycloak-mysql.default under the environment variable PMA_HOSTS. The individual hostnames are saved comma-separated without spaces.

    kubectl edit deployment -n phpmyadmin phpmyadmin-deploy

  3. Retrieve the password from the root user of the Keycloak database instance. You can find the password via the ConfigMap keycloak-mysql-passwords.

    kubectl describe cm -n default keycloak-mysql-passwords

  4. Open phpMyAdmin in a web browser at https://<server>/pma. PhpMyAdmin is behind a Keycloak authentication, log in accordingly. Enter the user and password and select the Keycloak MySQL server under Server selection.

  5. Find the value for the content security policy in the REALM_ATTRIBUTE table in the keycloak database. There is a line with the attribute name _browser_header.contentSecurityPolicy.

  6. Adjust the value accordingly.

  7. Restart the Keycloak pod to apply the changes:

    kubectl delete pod -n default $(kubectl get pods -n default --no-headers -o custom-columns=":metadata.name"|grep keycloak-deploy)

  8. Be sure to check whether the changes have the desired effect.

  9. Remove the service keycloak-mysql.default from the deployment of phpmyadmin.

    kubectl edit deployment -n phpmyadmin phpmyadmin-deploy