keycloak: Admin console does not work with reverse proxy

Describe the bug

With a past Keycloak version (16.1.1), I was able to proxy everything Keycloak related (/admin, /auth) under the path /keycloak on my host. I currently struggle to achieve the same with 18.0.

Version

18.0

Expected behavior

I expect that /admin can be proxied under a path (e.g., /keycloak) on my host as before.

Actual behavior

Attempt 1: Use --hostname-path

I start Keycloak with kc.sh start proxy=edge --hostname-path=keycloak --http-enabled=true and set the hostname via ENV KC_HOSTNAME. My reverse proxy config is /keycloak -> http://local-keycloak:8080. Navigating to /keycloak shows the landing page and e.g., resources are correctly loaded from /keycloak/resources as expected. However, the href emitted for the admin console link does not honer the provided hostname-path and points to /admin on my host. Navigating manually to /keycloak/admin/master/console/ yields a broken page as the resources are now loaded from /resources on my host, what is quite strange as on the login page the --hostname-path was honored.

Attempt 2: Use --http-relative-path

I build Keycloak with --http-relative-path=keycloak and start Keycloak with kc.sh start proxy=edge --http-enabled=true and set the hostname via ENV KC_HOSTNAME. Reverse proxy setting is now /keycloak http://local-keycloak:8080/keycloak. Again, navigating to /keycloak shows the landing page and e.g., resources are correctly loaded from /keycloak/resources as expected. Clikcing on the admin console redirects me to /keycloak/admin/master/console/, but now the page is white and starts refreshing every couple of seconds.

How to Reproduce?

Please refer to this repo I created to reproduce the problem.

Anything else?

While searching around, a couple of people suggested to use --hostname-admin but this gives me an unknown option error.

I see two ways to work around this:

  1. I go with attempt 1. and proxy /admin etc on my host to the container , however, this would make using the /keycloak path in the first place kind of useless.
  2. I move the keycloak to a dedicated subdomain e.g., auth.example.org and do not rely on proxied paths altogether, but this would require a couple of changes in production what I would really like to avoid.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 20 (6 by maintainers)

Most upvoted comments

Problem solved for me after removing the KC_HOSTNAME_PORT=443 variable from the config :

KC_HTTP_ENABLED=true
KC_PROXY=passthrough
KC_HOSTNAME=localhost
KC_HOSTNAME_STRICT=false
KC_HOSTNAME_STRICT_HTTPS=false
KC_HTTP_RELATIVE_PATH=/auth

It now works both in http and https.

This is weird as when calling https://localhost/auth the port is by default 443, which clearly matches the value of KC_HOSTNAME_PORT. So I don’t understand why setting explicitely KC_HOSTNAME_PORT=443 is a problem.

+2
omasseau on May 30, 2022

@JonasCir Created https://github.com/keycloak/keycloak/issues/12506.

+1
pedroigor on Jun 14, 2022

@pedroigor Thanks for your comment and updating the docs! I can confirm that adding --hostname-strict-https=false as start parameter works when using the --http-relative-path approach! 🎉

+1
JonasCir on Jun 14, 2022
Read more comments on GitHub
← keycloak: adding package using microdnf no longer works since keycloak version 21
keycloak: Admin console never loads →