keycloak: non TLS connection: Blank admin console page due to missing 3p-cookies/step1.html resource

Describe the bug

In my setup, the TLS is done in TLS Apache endpoint as reverse proxy, thus I did not setup any TLS stuff in keycloak.

Usage of admin console is done in internal network directly.

I get a blank admin console page after login Root cause: The resource 3p-cookies/step1.html will be loaded as TLS connection with https but that fails on port 8080 GET https://10.1.93.60:8080/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=9qn3t

It does not happen, if I set the “hidden” property hostname-strict-https=false The resource 3p-cookies/step1.html will be loaded successfully as normal http connection GET http://10.1.93.60:8080/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=9qn3t and the admin console page is displayed

My configuration:

# I do NOT set `hostname` nor `hostname-admin`

# remaining possible related settings in use are
proxy=edge
hostname-strict=false

http-enabled=true
http-relative-path=/auth

# How disable strict https
# https://github.com/keycloak/keycloak/discussions/10740
# Undocumented config parameter
hostname-strict-https=false

Version

17.0.1

Expected behavior

If http-enabled=true is used and keycloak is called with its direct IP, the admin console page is shown after login without usage of hidden property hostname-strict-https=false

Actual behavior

Faulty call of resource 3p-cookies/step1.html blocks the page usage, it loops in trying to get the whole page

How to Reproduce?

No response

Anything else?

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 8
  • Comments: 16 (11 by maintainers)

Most upvoted comments

@pedroigor Hello, I’m also facing a similar issue while using keycloak 20.0 with it’s kubernetes Operator version 20.0

I have keycloak running on a reverse proxy…

I’ve set HTTP enabled to false I’ve set the proxy type to edge I’ve set strict back channel to false

The hostname is the public domain name but without the scheme.

when I exec into the pod and see the set env variables; KC_STRICT_HTTPS=false KC_HOSTNAME_STRICT=false KC_HOSTNAME_STRICT_BACKCHANNEL=false KC_PROXY=edge KC_HTTP_ENABLED=true

But in the logs I’m still seeing Strict HTTPS: true

When I visit the hostname I can see the main Keycloak landing page, but when I click on the administration console, I’m stuck at loading the admin console.

Is there something I’ve missed in the configuration or something that I’ve done wrong?

+2
AustinOyugi on Nov 7, 2022

@psytester I thought it was clear that the problem here is related to how the server enforces TLS by default. As we started discussing from this point https://github.com/keycloak/keycloak/issues/11170#issuecomment-1110098798.

The iframe (3p-cookies/step1.html) is not an “admin URL” but a frontend URL and that is reason why you have https using a non-TLS port in the URLs.

Sorry for closing without a reference to a guide. We updated the hostname guide to include this section https://www.keycloak.org/server/hostname#_accessing_keycloak_in_production_mode_using_http.

Please, let me know if it works for you.

+2
pedroigor on Jun 30, 2022

I too was trying to run keycloak under reverse proxy and ran into problems, which led me to this thread. I’ll share the configuration that worked for me. I was trying to run it with KC_PROXY=edge configuration.

The way it worked was to set KC_HOSTNAME_URL and KC_HOSTNAME_ADMIN_URL. Setting KC_HOSTNAME_URL fixes the mixed content bug, and setting KC_HOSTNAME_ADMIN_URL prevents keycloak from throwing 403 errors!

+1
ogontaro on Jul 4, 2023

@pedroigor I installed 18.0.0 and the error still exists. 3p-cookies/step1.html can not be loaded due to https schema.

+1
psytester on Apr 26, 2022
Read more comments on GitHub
← keycloak: MigrateT021_0_0 fails with NPE if adminTheme is not configured explictly
keycloak: open-id endpoint doesn't return port from behind proxy when running behind proxy  →