Accessing admin UI behind reverse proxy

Hello,

I am deploying Keycloak 17.0.1 Quarkus with Kubernetes. I see in the docs about setting up the reverse proxy that it’s preferable to not expose the admin endpoint.

I managed to do this but then I can’t find a way to access the admin UI by port-forwarding the service directly. I can access the welcome page at localhost:8080 while it’s blocked at keycloak.minikube.local, but when I click to open the admin console I get redirected to keycloak.minikube.local/realms/master/protocol/openid-connect/auth?... which shows “Invalid parameter: redirect_uri”. I tried tweaking the KC_HOSTNAME_STRICT env var to circumvent this without success.

The redirect_uri in the query parameters is localhost:8080/admin/master/console. Is there a missing setting for my setup? The KC_PROXY var is set to edge. Or am I looking at the wrong solution to access the admin console when it’s not exposed by the reverse proxy?

Thank you very much.

1 Like

Perhaps a slightly different approach could be to restrict access to the admin console via the reverse proxy: this way, all trafic goes via de reverse proxy (easy configuration), but the admin console is protected (use IP whitelisting or additional basic authentication in your reverse proxy config).
Example for Apache httpd to restrict admin access to local network only:

<Location "/admin">
        Require all denied
        Require ip 10.10
</Location>

I am having the same issue and the problem appears to be with a single script included in the admin console page.

All of the scripts seem to be using relative paths except one… The use of the container bound IP address seems to be the problem for me…


<script src="https://0.0.0.0/js/keycloak.js?version=hjy36" type="text/javascript"></script>

I have tried KC_HOSTNAME_STRICT, KC_HOSTNAME_ADMIN and several other things with no relief. There does not appear to be a way to access the admin console running behind a load balancer (reverse proxy).