Troubleshooting
Common issues:
I receive 401 Unauthorized status code
- Turn on Debug or Trace logging level and see the logs output
- Make sure access token is provided in Authorization Header.
- Make sure the audience is mapped to a token via audience mapper. You can try to disable audience validation temporarily.
- Make sure the HTTPs requirement is turned off in Development Mode.
KeycloakAuthenticationOptions.SslRequired="none"
I receive 403 Forbidden
- Turn on Debug or Trace logging level and see the logs output
- In case of RBAC Authorization make sure the
ClaimsPrincipal
has "realm_access" and "resource_access" claims mapped from token issued by Keycloak. - If you use Keycloak as Authorization Server, make sure it is properly configured and that the Keycloak installation is accessible.
Keycloak is slow to respond
Keycloak is a central part of the system used by many components. Especially, in Authorization Server scenario where authorization requests are sent to centralized place. Essentially, Keycloak becomes a bottleneck of the system. Consider Cluster Setup to tackle this problem.
Also, you can handle transient HTTP errors by adding resiliency, see How to setup resiliency to HTTP Clients
NOTE
☝️Keycloak.AuthServices
supports OpenTelemetry. See Keycloak.AuthServices.OpenTelemetry.