Skip to content

Keycloak & EntraID IAM FAQ⚓︎

Cannot login to Grafana or ArgoCD via EntraID: "Admin Approval Needed"⚓︎

If you encounter an "Admin Approval Needed" message when trying to log in to Grafana or ArgoCD using EntraID, this is typically caused by a restrictive policy on your EntraID tenant.

Solution:

  • In Keycloak, navigate to the Identity Provider configuration for EntraID.
  • Open the "Advanced Settings" section.
  • Find the Prompt attribute and set it to select_account.
  • Save your changes and try the login again.

This will ensure that the login prompt always allows the account selection, which satisfies EntraID's requirements and typically resolves the "Admin Approval Needed" error.

Assigned realm role but still no access⚓︎

If you have assigned a realm role to a user but access is not granted, there may be a stale or conflicting Contributor resource in the cluster.

Troubleshooting Steps:

  1. Check the logs of the Keycloak pod for any warnings or error messages related to the user's role or access.
  2. Inspect the relevant Contributor custom resources in the cluster. Look for conflicting or outdated entries that might affect role assignment.
  3. You can list and inspect these resources with: 
    kubectl get contributor
kubectl describe contributor <NAME>
  4. If you find stale or conflicting entries, clean them up and re-assign the role if necessary.

After making the changes, re-attempt the access or login to verify that the role assignment is working as expected.

User is unable to login: "502 Bad request"⚓︎

The error code 502 Bad request implies that the error already occurs at the nginx ingress proxy.

Too big response header⚓︎

The response headers sent from a backend service (e.g., large cookies from an authentication system) are too large for NGINX buffers.

Troubleshooting Steps:

  • Review ingress pod logs for large header errors (e.g., “upstream sent too big header”).
  • Increase NGINX buffer size by adding this annotation. 
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # ...
    nginx.ingress.kubernetes.io/proxy-buffer-size: "32k" # Increase proxy buffer size for large cookies and JWTs
  name: main
  namespace: istio-system 
spec:
# ... (your ingress rules)

After making the changes, re-attempt the login and verify that the issue is fixed.

"500 Internal Server Error" on login⚓︎

Most probable cause: "Email verified" is not enabled in the user creation page in Keycloak:

"Invalid parameter: redirect_uri" on opening prokube page⚓︎

Check that "Root URL" parameter in the dex-oidc-client Client in Keycloak is correct.