Cross domain impersonate

alex88 · July 30, 2021, 12:20am

We usually login to the admin console on our own url (e.g. keycloak.mycompany.com) and we set a different frontend url for a specific realm (e.g. auth.myproject.com)

I’ve set these java opts

      -Dkeycloak.adminUrl=https://keycloak.mycompany.com
      -Dkeycloak.hostname.default.forceBackendUrlToFrontendUrl=true

and the problem is that when I click on impersonate in the admin console I get redirected to the login page in the realm domain (auth.myproject.com)

It seems impossible to impersonate a user on a realm which frontend url is different than the console admin url?

predictap-droscoe · December 19, 2022, 11:18pm

I’m running into the same issue and from what I can tell, yes impersonation is strictly impossible if your admin domain is different from your login domain because the impersonate endpoint works by including set-cookies in the response header but if your admin domain is different those cookies will be set in the wrong origin and you won’t be logged in when redirected to the app.

For my use case I need impersonation so I’ll need to put them on the same domain unless anyone else has any other options I’m unaware of.

Topic		Replies	Views
Impersonation not working when KC host != realm host Getting advice	0	518	January 13, 2023
Impersonate a user	2	3587	July 4, 2022
One domain per realm, disabling unrelated keycloak pages	4	5393	May 26, 2020
Impersonate User Via Keycloak API? Getting advice admin-rest , authentication	6	22904	August 30, 2024
Realm Frontend URL for Users Configuring the server	9	3067	August 15, 2024

Cross domain impersonate

Related Topics