keycloak: keycloak.js fails to load from the UI when behind a reverse proxy and KC_PROXY = `edge`

Describe the bug

In the frontend authUrl and authServerUrl should respect the setting of KC_PROXY to edge mode and should probably use the X-Forwarded-Proto instead of the request protocol to construct the url for frontend requests.

This initial result of this is in the templates the url for the keycloak.js resource is incorrect, although the issues are probably bigger as the url is also used for other js invoked api calls looking at the code.

Version

17.0.0

Expected behavior

<script type="text/javascript">
--
  | var authServerUrl = 'https://...';
  | var authUrl = 'https://....';
...

Actual behavior

<script type="text/javascript">
--
  | var authServerUrl = 'http://...';
  | var authUrl = 'http://....';
...

Only setting KC_PROXY to reencrypt and communicating over https behind the proxy server resolves the issue and correctly sets the frontend Urls.

How to Reproduce?

Run a proxy server with SSL termination and set the KC_PROXY option to ‘edge’.

Load the /admin/master/console/ html file and you will see the authUrl and authServerUrl set to http://{hostname} and not https://{hostname}. The browser will then try to connect on this port and fail.

For reference this was the NGINX configuration used:

    server {
        listen 443 ssl http2;
        server_name login.test.test;
        server_tokens off;

        ssl_certificate /etc/nginx/certs/tls.crt;
        ssl_certificate_key /etc/nginx/certs/tls.key;
        ssl_dhparam /etc/nginx/ssl-dhparams.pem;

        location / {
            set $upstream http://keycloak:8080;
            proxy_pass  $upstream;
            proxy_set_header    Host                $http_host;
            proxy_set_header    X-Real-IP           $remote_addr;
            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Proto   $http_x_forwarded_proto;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }

Anything else?

Setting KC_HOSTNAME_SCRICT_HTTPS: true also didn’t help. (not sure if this option is correct or used)

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 3
Comments: 16 (6 by maintainers)

Most upvoted comments

The fix is here, but it was not released yet 😦

eucleciojosias on Apr 14, 2022

Now tried with

    - --hostname
    - keycloak.domain.tld
    - --hostname-strict-https
    - "true"

and of course

    - name: KC_PROXY
      value: edge

with 17.0.1 and always get authServerUrl = 'https' but authUrl = 'http' and the link to keycloak.js is http.

With 17.0.0 it just works.

gitdode on Mar 24, 2022

This configuration of @Thirsa works! 🎉

@gitdode

With 17.0.0 it just works.

I confirm!

with this configuration in the deployment file it works: image: quay.io/keycloak/keycloak:17.0.0 args: [“start-dev”] env: - name: KEYCLOAK_ADMIN value: “admin” - name: KEYCLOAK_ADMIN_PASSWORD value: “somepass” - name: KC_PROXY value: “edge” - name: KC_HOSTNAME value: “keycloak.domain.tld” - name: KC_HOSTNAME_STRICT_HTTPS value: “true”

You just have to know to set those additional ENVs I guess. Though I can’t find the KC_HOSTNAME_STRICT_HTTPS here https://www.keycloak.org/server/all-config …

Thank you! 💪

However, with 17.0.1, I run against the same issue. the keycloak.js is served (hard) via HTTP, where this results in some issues where we have HSTS applied.

Thanks for all your help!

T0mWz on Mar 24, 2022

Problem is not only related to the protocol. Shouldn’t the url be relative instead of being absolute?

In my case, the hostname is wrong since it doesn’t include the port.

meronz on Mar 24, 2022