I am using quarkus based Keycloak version 20.x and the high level logical flow is
sso.abc.com → webserver → keycloak pods running in k8 cluster.
Right now all keycloak URLs (/realm/, /admin/) are available in internet thru sso.abc.com.
How can I expose only the login related URL and block the rest (e.g sso.abc.com/admin/*)? Our admin will access the keycloak-admin pages thru “http://localhost:8080/admin/…” by directly port-forwarding to the pods.
We can achieve this by adding the url filter at webserver level, but can’t do it for a different reason.
Note that, I was able to block the admin url in pre-quarkus version of keycloak (ver14.x) by adding the url pattern in standalone-ha.xml.
/subsystem=undertow/configuration=filter/expression-filter=blockAdminAccess1:add(,expression="path-prefix('/admin') and equals(%p, 8443) -> response-code(403)")
Is there similar configuration available in Quarkus based keycloak version 20.x ?
We have Apache HTTPD in front of Keycloak. The Apache manages which IP addresses are allow to ‘/admin’ (limited to within org). You may be able to do the same with load balancer etc. I’m not aware if possible to do so within Keycloak configuration - others more worthy than me may have suggestions.
All the best.
Yes, we can do it on the web-proxy. I may have to go for that approach if I don’t find any solution in keycloak.
FWIW: Keycloak allows you to configure a dedicated hostname for admin stuff: Configuring the hostname - Keycloak
Yes, I already have tried the hostname and host-name admin env variable. But it does not block the admin url when called using domain name. Here is what I tried.
The objective is to allow admin activities only thru http://localhost:8080/ and block it when called from http://sso.abc.com:8080/ . Here is the result,
- Started with http://sso.abc.com:8080/admin;
- Landed in login page that has url http://sso.abc.com:8080/realms/…
- Landed in http://localhost:8080/admin/master/console/#/ after the successful login.
The final admin url changed to localhost, but it did not prevent me in step 1. Its kind of solving my requirement partially as no matter what URL the user started, it ends in localhost. So user have to port-forward to access the localhost.
Just another update on the ^ solution.
Our requirement is not to reveal any OOB keycloak UI to end users except the login page (masked with our company’e theme). Few example of such pages are, account page (https://sso.abc.com/realms/SomeRealm/account), admin page (https://sso.abc.com/admin), and so on. The KC_HOSTNAME_ADMIN env variable takes care of routing the admin URL only. So looks like, only option to use web-proxy for blocking the unwanted URLs in quarkus based keycloak.
I have the same requirement with same infra setup and tried to achieve this in two ways -
- Nginx Location config with reverse proxy by allow/deny rule but it didn’t work for me.
- Running two Nginx Ingress one for / which is open to all and another for /auth/admin/(*) restricted by one single VPN IP but this also doesn’t work. All pages of Keycloak are accessible publicly.
Let me know if there is any solution available.
I am using Envoy proxy and here is an working example of sending 403 for path “/”, “/admin”, "/realms/master* and “/realms//account*”.
I’m trying to block the console with keycloak version 8th, I see you’ve done this previously, could you help with some more detailed infos like where do you add the url pattern in standalone-ha.xml file and do you have other code changes for that? thanks!
Here is an example of adding filter to block ‘https://xxx:8443/auth/admin’ url pattern in standalone-ha.xml
/subsystem=undertow/configuration=filter/expression-filter=blockAdminAccess1:add(,expression="path-prefix('/auth/admin') and equals(%p, 8443) -> response-code(403)")
Hope this helps!