keycloak: 403 login-status-iframe on Keycloak Docker Compose

Before reporting an issue

I have searched existing issues
I have reproduced the issue with the latest release

Area

admin/ui

Describe the bug

I just got Keycloak with compose and when I try to get into the admin panel, it gets stuck on loading loop and I checked console to see what the issue is and it throws 403 on the URL: https://auth.ryuluna.com/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console&origin=https%3A%2F%2Fauth.ryuluna.com

I’m using the following compose yml

version: "3"

services:

  keycloak:
    image: quay.io/keycloak/keycloak:latest
    restart: always
    command: start
    environment:
      KC_PROXY_ADDRESS_FORWARDING: "true"
      KC_HOSTNAME_STRICT: "false"
      KC_HOSTNAME: auth.ryuluna.com
      KC_PROXY: edge
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres/$POSTGRES_DB?ssl=allow
      KC_DB_USERNAME: $POSTGRES_USER
      KC_DB_PASSWORD: $POSTGRES_PASSWORD
      KEYCLOAK_LOGLEVEL: ERROR
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: password
    labels:
      - traefik.enable=true
      - traefik.http.routers.keycloak-http.rule=Host(`auth.ryuluna.com`)
      - traefik.http.routers.keycloak-http.entrypoints=web
      - traefik.http.routers.keycloak-http.service=keycloak
      - traefik.http.services.keycloak.loadbalancer.server.port=8080
    env_file:
      - .env
    networks:
      - traefik-net

  postgres:
    image: docker.io/postgres:14
    environment:
      POSTGRES_USER: $POSTGRES_USER
      POSTGRES_PASSWORD: $POSTGRES_PASSWORD
      POSTGRES_DB: $POSTGRES_DB
    env_file:
      - .env
    networks:
      - traefik-net

networks:
  traefik-net:
    external: true

Version

Latest

Expected behavior

Actual behavior

How to Reproduce?

Anything else?

No response

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 1
Comments: 16 (1 by maintainers)

Most upvoted comments

KC_HOSTNAME_URL: https://auth.ryuluna.com KC_HOSTNAME_ADMIN_URL: https://auth.ryuluna.com

Many thanks for this it helped me. Docs should cover this somewhere. Managed to get into to account-console by adding Web origins: * in settings.

Andrius0124 on Jan 4, 2023

      KC_HTTP_ENABLED: true
      KC_HOSTNAME_STRICT: true
      KC_HOSTNAME_URL: https://auth.ryuluna.com
      KC_HOSTNAME_ADMIN_URL: https://auth.ryuluna.com
      # DB
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres/$POSTGRES_DB?ssl=allow
      KC_DB_USERNAME: $POSTGRES_USER
      KC_DB_PASSWORD: $POSTGRES_PASSWORD
      #
      KEYCLOAK_LOGLEVEL: ERROR
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: password

these solved the problem… kinda stupid how the docs dont have these envs by default

chaeyan on Dec 15, 2022

@chaeyan I had exactly the same issues as you. I fixed the failed to initial keycloak with 403 status error by modifying the Clients->Account Console->Settings->Web origins. Making it a ‘*’ to cover all origins. In production this should probably be set to a trusted local subnet mask.

aad-griff on Jan 25, 2023

for me help remove 443 or 80 from --hostname-url (KC_HOSTNAME_URL) and --hostname-admin-ur (KC_HOSTNAME_ADMIN_URL) params

Bitnik212 on Dec 20, 2022

      KC_HTTP_ENABLED: true
      KC_HOSTNAME_STRICT: false
      KC_HOSTNAME_ADMIN_URL: https://auth.ryuluna.com
      # DB
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres/$POSTGRES_DB?ssl=allow
      KC_DB_USERNAME: $POSTGRES_USER
      KC_DB_PASSWORD: $POSTGRES_PASSWORD
      #
      KEYCLOAK_LOGLEVEL: ERROR
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: password

using these seems to solve it… a bit… because now it tries to request iframe with https://auth.ryuluna.com:8443 as host and it fails

chaeyan on Dec 15, 2022

FYI, i got cloudflare and ssl proxy on it, thats why i didnt do ssl stuff on keycloak

chaeyan on Dec 15, 2022