keycloak: open-id endpoint doesn't return port from behind proxy when running behind proxy

Describe the bug

When running in istio and behind a proxy, all of the apps starting up and registering using the open id endpoint the open-id endpoint doesn’t return the port in the iss claim. But outside of the k8s going through the reverse proxy does return the port

Version

18.0.2

Expected behavior

The iss claim is returned with the correct port

Actual behavior

No port is included inside the iss claim when connecting to the open id endpoint when not using the proxy.

How to Reproduce?

Run in istio with the istio ingress gateway acting as a reverse proxy.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: config
  namespace: foo
spec:
  hosts:
  - "*"
  gateways:
  - gateway
  http:
  - match:
    - uri:
        exact: /auth
    - uri:
        prefix: /auth/
    route:
    - destination:
        host: keycloak
        port:
          number: 8080
      headers:
        request:
          set:
            X-Forwarded-For: ""
            X-Forwarded-Proto: "https"
            X-Forwarded-Host: "${INGRESS_HOST}:${SECURE_INGRESS_PORT}"

The Keycloak config is

apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: foo
  labels:
    app: keycloak
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
        version: v1
    spec:
      imagePullSecrets:
      - name: dockercfg
      containers:
      - name: keycloak
        image: quay.io/keycloak/keycloak:18.0.1
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
        env:
        - name: KC_DB_URL_HOST
          valueFrom:
            configMapKeyRef:
              name: keycloak-config
              key: db-addr
        - name: KC_DB_USERNAME
          value: keycloak
        - name: KC_DB_PASSWORD
          value: postgres
        - name: KC_PROXY
          value: passthrough
        - name: KC_CACHE
          value: none
        - name: KC_HOSTNAME_STRICT_HTTPS
          value: "false"
        - name: KC_HTTP_ENABLED
          value: "true"
        - name: KC_HOSTNAME_STRICT_BACKCHANNEL
          value: "false"
        - name: KC_HOSTNAME_STRICT
          value: "false"		
---
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  namespace: foo
spec:
  selector:
    app: keycloak
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080

Hitting the open id endpoint outside of k8s gets the port "issuer":"https://10.200.16.74:32611/auth/realms/foo",

while going to the endpoint from the keycloak container gets it without the port

sh-4.4$ curl http://keycloak.foo:80/auth/realms/foo/.well-known/openid-configuration
{"issuer":"http://keycloak.foo/auth/realms/foo" ...

Anything else?

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

Thanks. I found the issue with the 403. The db image I was using was setup previously by someone else and it was really old. I updated to our latest and it was meant for a non-service mesh deployment. I thought I had found everything. But a diff in the realm export found that the realm configuration parameter require-ssl was set to yes. This resolved that issue. Hoping me noting this here helps someone else.

+1
tlann on Sep 6, 2022
Read more comments on GitHub
← keycloak: non TLS connection: Blank admin console page due to missing 3p-cookies/step1.html resource
keycloak: openid scope is required for userinfo endpoint but does not exist by default →