Changing identity provider redirect uri to use KC_HOSTNAME instead of KC_HOSTNAME_ADMIN

I have configured my docker container and started up Keycloak with the following environment variables set.
KC_HOSTNAME = https://open-to-public-url/
KC_HOSTNAME_ADMIN = https://internally-accessible-admin-url/

I have followed Configuring the hostname - Keycloak and Using a reverse proxy - Keycloak to ensure that I am only exposing the URLs needed for Authentication/Authorization.

I want to add a new Identity Provider now, and while trying to do that through the link ‘https://internally-accessible-admin-url/’ the Redirect URI is of the form, https://internally-accessible-admin-url/realms/master/broker/keycloak-oidc/endpoint

is there any way to change this?

My assumption was the Redirect URI should be https://open-to-public-url/realms/master/broker/keycloak-oidc/endpoint

Hi,

I have the same question. How did you manage to solve it?

I figured that the host in the UI isn’t relevant so all is good for me now.

how did you solve this issue?
i have
KC_HOSTNAME = /auth
KC_HOSTNAME_ADMIN= /admin
and my uri is /admin instead of /auth.
how can it be generated with /auth

I also thought there was an issue here, but there’s not. I’m using different values for KC_HOSTNAME_URL and KC_HOSTNAME_ADMIN_URL, and the redirect_uri visible in the admin UI, for a new OIDC Identity Provider, is always is always based on KC_HOSTNAME_ADMIN_URL, but like @mohammedalics said : this value in the admin UI is not relevant, because it is not the real value that will be use with the OIDC Identity Provider.
Keycloak dynamicaly builds the redirect_uri based on the base domain of the initial authentication request.
Let me illustrate this with an example :

When you initiate an authentication with my-idp :

  1. the login page is at : http://public.localhost:8080/realms/my-realm/protocol/openid-connect/auth
  2. when you clic on login with my-idp, your browser calls this url : http://public.locahost:8080/realms/my-realm/broker/my-idp/login?{queryParams}
  3. This address respond with a 302, an redirects to ${the-idp-authorization-url}?redirect_uri=http://public.locahost:8080/realms/my-realm/broker/my-idp/endpoint&{otherStandardOidcQueryParams}

I was confused at first because I was testing the oidc provider from account page of my realm, using the link found on the clients list in the admin UI (but this link points at http://private.localhost:8888/realms/my-realm/account/ and so the login with idp button on the login page called the idp broker on the private domain, and so the redirect_uri given to the idp was also using this private domain.

1 Like

In addition to my previous answer, if you need to change the full redirect_uri (I had a use case like this with a test platform of a private idp, accepting only http://localhost:3000/callback as redirect_uri for test purposes), the only way to achieve this is to write your own custom SPI, derivated from OIDCIdentityProvider and override the createAuthorizationUrl method (call super() and then modify the redirect_uri query param in the returned uriBuilder).
You can get inspiration from the Google Social IDP SPI inside keycloak source code (it also override this method) : keycloak/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java at main · keycloak/keycloak · GitHub

1 Like