Because there’s no reason to render a welcome page in a production environment, we don’t want KeyCloak to render the welcome page at /auth. We’d like it to return a 404 instead. Is this possible?
2 Likes
I am also facing the same problem.
Did you get any answer to this?
I dont know if there is a better solution.
But my suggestion would be to create a custom welcome theme that will give out this error.
Do you use a reverse proxy in front of Keycloak?
If yes, you could configure it to prevent access to /auth, except for some well-known endpoints like ^/auth/realms/(.*)/protocol/openid-connect or ^/auth/realms/(.*)/login-actions. You could even control access based on the source IP, e.g. to allow access from the local host or a whitelist of adresses only.
Did you find any solution to this?
You can use a custom cli script. Take a look at this:
UPDATE:
Create a file called disable_welcome.cli containing:
/subsystem=undertow/server=default-server/host=default-host/location=\/:remove
This is how to instruct keycloak docker container to run the script at startup https://github.com/keycloak/keycloak-containers/blob/main/server/README.md#running-custom-scripts-on-startup
1 Like
I find the solution if you have used docker image keycloak:
after running keycloak image, enter inside it using this command:
docker exec -it your_container_id bin/bash
go to folder keycloak themes:
cd /opt/jboss/keycloak/themes/keycloak
you will see a folder with the name welcome, you have two options:
1- remove it
2- or edit it
I recommended copying it to the host then you can edit it and then return it to the docker image
to copy it from docker image to host:
docker cp your_container_id:/opt/jboss/keycloak/themes/keycloak/welcome path_folder_welcome_in_host
to return it to docker image:
docker cp path_folder_welcome_in_host your_container_id:/opt/jboss/keycloak/themes/keycloak/welcome
alternatively you can edit index.ftl ( keycloak-x.x.x/themes/keycloak/welcome )
and have you /auth page stripped to bare minimum
Or, what about something like…
<html>
<head>
<meta http-equiv="refresh" content="0; url=https://www.example.com/" />
<meta name="robots" content="noindex, nofollow">
<script type="text/javascript">
window.location.href = "https://www.example.com/"
</script>
</head>
<body>
If you are not redirected automatically, follow this <a href='https://www.example.com/'>link</a>.
</body>
</html>
in keycloak/welcome-content/index.html ?
Hi,
my solution is to override /opt/jboss/keycloak/themes/keycloak/welcome/index.ftl with following content.
<html>
<head>
<meta http-equiv="refresh" content="0; url=${adminUrl}" />
<meta name="robots" content="noindex, nofollow">
<script type="text/javascript">
window.location.href = "${adminUrl}"
</script>
</head>
<body>
If you are not redirected automatically, follow this <a href='${adminUrl}'>link</a>.
</body>
</html>
1 Like
This is the top solution. I changed url and href to “/” and added a StartupScript into my helm values to replace the html code automatically. I choose / because my Keycloak is mapped as a prefix path /auth to a main Frontend Page via my Ingress Controller. It will prevent simple users to access the Admin Login Page. But real Keycloak admins will open the /auth/admin path manually instead.
Startup Script:
# Startup scripts to run before Keycloak starts up
startupScripts:
# Update welcome page
update_welcome_page.sh: |
#!/bin/bash
# bkp old welcome page
cp /opt/jboss/keycloak/themes/keycloak/welcome/index.ftl /opt/jboss/keycloak/themes/keycloak/welcome/index.ftl_bkp
# create new welcome page
echo '<html>
<head>
<meta http-equiv="refresh" content="0; url=/" />
<meta name="robots" content="noindex, nofollow">
<script type="text/javascript">
window.location.href = "/"
</script>
</head>
<body>
If you are not redirected automatically, follow this <a href='/'>link</a>.
</body>
</html>' > /opt/jboss/keycloak/themes/keycloak/welcome/index.ftl