[KC 17.x.x] How to access admin UI from port-forwarded/internal URL / prevent redirect from internal url to KC_HOSTNAME

armujahid · April 12, 2022, 7:14am

Steps to reproduce this issue:

Objective:
keycloak is deployed in kubernetes with proxy=edge with a hostname/KC_HOSTNAME=public.url. I want to restrict admin UI access by allowing it only from internal url by doing port-forwarding

kubectl port-forward svc/keycloak 9010:80
now http://localhost:9010/admin should work but https://public.url/admin shouldn’t work (assuming that I blocked it using reverse proxy)

I have tried setting adminUrl using KC_HOSTNAME_ADMIN but it doesn’t work.

Problem:
Currently port-forwarded local url http://localhost:9010 is working but it is redirecting me to KC_HOSTNAME

As far as I know same setup was working fine with keycloak <17

Environment variables:
KC_HOSTNAME=public.url
KC_PROXY=edge

Startup log:

INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: public.url, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin: <request>, Port: -1, Proxied: true

Related information:
mentioned at https://www.keycloak.org/docs/latest/server_installation/
“If you do not want to expose the admin endpoints and console on the public domain use the property adminUrl to set a fixed URL for the admin console, which is different to the frontendUrl. It is also required to block access to /auth/admin externally”

Also posted at [KC 17.x.x] How to access admin UI from port-forwarded/internal URL / prevent redirect from internal url to KC_HOSTNAME · keycloak/keycloak · Discussion #11237 · GitHub

jangaraj · April 12, 2022, 10:41am

Did you try to remove env variable KC_HOSTNAME?

armujahid · April 12, 2022, 11:01am

without KC_HOSTNAME I get this blank page without any console error with 404 error for this call
https://localhost:9010/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=opwzf

wadahiro · April 13, 2022, 2:40am

In addition to KC_HOSTNAME, please set KC_SPI_HOSTNAME_DEFAULT_ADMIN for adminUrl.

KC_HOSTNAME is an alias for KC_SPI_HOSTNAME_DEFAULT_HOSTNAME. But there is no alias for KC_SPI_HOSTNAME_DEFAULT_ADMIN currently.

armujahid · April 13, 2022, 4:55am

after setting KC_SPI_HOSTNAME_DEFAULT_ADMIN to localhost. keycloak is starting with these settings (you can see that Admin is now localhost)

[org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: public.url, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin: localhost, Port: -1, Proxied: true

But I am still getting same redirection issue after clicking on Admin console link http://localhost:9010/admin/. It redirects me to https://public.url/realms/master/protocol/ (screenshot attached in my question).

it could be port issue. I have also tried with KC_SPI_HOSTNAME_DEFAULT_ADMIN = localhost:9010 (Although I know that port is not part of hostname) but I still get same issue

armujahid · April 13, 2022, 5:35am

My issue can be reproduced by running this docker-compose file

version: "3"
services:
  keycloak:
    image: quay.io/keycloak/keycloak:17.0.1
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_PROXY: edge
      KC_HOSTNAME: localhost:8080
      KC_SPI_HOSTNAME_DEFAULT_ADMIN: localhost:8081
    entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]
    ports:
      - 8080:8080
      - 8081:8080

startup logs:

keycloak_1  | 2022-04-13 05:30:34,890 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: localhost:8080, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin: localhost:8081, Port: -1, Proxied: true

Open http://localhost:8081 and click on administration console. You will be redirected to http://localhost:8080/realms/master/protocol/…

wadahiro · April 13, 2022, 3:06pm

One thing I forgot to mention: set the “frontend URL” in the master realm to the admin URL (Note: you need the scheme here like http(s)://〜).

Reference: frontendUrl and adminUrl - how to restrict admin console to internal IP only?

However, changing the port number require a slightly tricky configuration. if you want to use localhost:8080 and localhost:8081, start with the following command, then add “http://localhost:8081” to the “frontend URL” of the master realm.

docker run -e KC_HOSTNAME=localhost -e KC_HOSTNAME_PORT=8080 -e KC_SPI_HOSTNAME_DEFAULT_ADMIN=localhost -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8080:8080 -p 8081:8080 quay.io/keycloak/keycloak:17.0.1 start-dev

armujahid · April 14, 2022, 5:17am

after setting frontend URL of the master realm to http://localhost:9010 I started getting this issue. You can see that API call http://localhost/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=opwzf has host without port.

I had to execute

"DELETE FROM REALM_ATTRIBUTE WHERE `REALM_ATTRIBUTE`.`NAME` = 'frontendUrl' AND `REALM_ATTRIBUTE`.`REALM_ID` = 'master'"

to rollback this change.

Also note that without any of these changes keycloak APIs are still accessible from inside kubernetes cluster from http://keycloak (internal service url) and all admin service calls are working fine. This issue is only occurring for Admin frontend.

Your setup is working without KC_PROXY=edge. You can try your docker run command with KC_PROXY=edge to reproduce this issue

docker run -e KC_HOSTNAME=localhost -e KC_HOSTNAME_PORT=8080 -e KC_SPI_HOSTNAME_DEFAULT_ADMIN=localhost -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_PROXY=edge -p 8080:8080 -p 8081:8080 quay.io/keycloak/keycloak:17.0.1 start-dev

armujahid · April 14, 2022, 5:22am

Note that keycloak APIs are still accessible from inside kubernetes cluster from http://keycloak (internal service url) and all admin service calls are working fine. This issue is only occurring while accessing Admin frontend from http://localhost:9010 after port-forwarding keycloak kubectl port-forward svc/keycloak 9010:80

acidsys · April 30, 2022, 8:35pm

Hi,

what is

KC_SPI_HOSTNAME_DEFAULT_ADMIN

in a non-Docker environment, i.e. in a regular keycloak.conf ?
Where is this documented?

Thank you!

rvanderboom · July 4, 2022, 9:40am

Hey,

I have same issue, getting 404 on the step1.html and step2.html files.

I have configured different host name for the admin login (internal)…
everything works only i got 404 on the admin step1.html (white page).
When i specifically set frontendUrl of master admin to the main (public) url i can login but this is NOT what i want, since i want to have admin on internal domain., so the step1.htmls are not public reachable.

anyone already found solution ? I thiink it is a bug in keycloak, also tried keycloak quarkus 18, same.

Topic		Replies	Views
Accessing admin UI behind reverse proxy Configuring the server	2	1908	April 2, 2022
Keycloak 17.0.1 Admin console on Edge mode	6	3939	April 11, 2022
The option KC_HOSTNAME_ADMIN does not work Configuring the server admin-console	8	15266	April 2, 2024
Changing identity provider redirect uri to use KC_HOSTNAME instead of KC_HOSTNAME_ADMIN Configuring the server identity-brokering	5	1317	February 17, 2024
frontendUrl and adminUrl - how to restrict admin console to internal IP only? Configuring the server	1	9379	May 14, 2020

[KC 17.x.x] How to access admin UI from port-forwarded/internal URL / prevent redirect from internal url to KC_HOSTNAME

Related Topics