Objective:
keycloak is deployed in kubernetes with proxy=edge with a hostname/KC_HOSTNAME=public.url. I want to restrict admin UI access by allowing it only from internal url by doing port-forwarding
Related information:
mentioned at https://www.keycloak.org/docs/latest/server_installation/
“If you do not want to expose the admin endpoints and console on the public domain use the property adminUrl to set a fixed URL for the admin console, which is different to the frontendUrl. It is also required to block access to /auth/admin externally”
it could be port issue. I have also tried with KC_SPI_HOSTNAME_DEFAULT_ADMIN = localhost:9010 (Although I know that port is not part of hostname) but I still get same issue
However, changing the port number require a slightly tricky configuration. if you want to use localhost:8080 and localhost:8081, start with the following command, then add “http://localhost:8081” to the “frontend URL” of the master realm.
"DELETE FROM REALM_ATTRIBUTE WHERE `REALM_ATTRIBUTE`.`NAME` = 'frontendUrl' AND `REALM_ATTRIBUTE`.`REALM_ID` = 'master'"
to rollback this change.
Also note that without any of these changes keycloak APIs are still accessible from inside kubernetes cluster from http://keycloak (internal service url) and all admin service calls are working fine. This issue is only occurring for Admin frontend.
Your setup is working without KC_PROXY=edge. You can try your docker run command with KC_PROXY=edge to reproduce this issue
Note that keycloak APIs are still accessible from inside kubernetes cluster from http://keycloak (internal service url) and all admin service calls are working fine. This issue is only occurring while accessing Admin frontend from http://localhost:9010 after port-forwarding keycloak kubectl port-forward svc/keycloak 9010:80
I have same issue, getting 404 on the step1.html and step2.html files.
I have configured different host name for the admin login (internal)…
everything works only i got 404 on the admin step1.html (white page).
When i specifically set frontendUrl of master admin to the main (public) url i can login but this is NOT what i want, since i want to have admin on internal domain., so the step1.htmls are not public reachable.
anyone already found solution ? I thiink it is a bug in keycloak, also tried keycloak quarkus 18, same.