Exposed path recommendations
In the Reverse Proxy documentation the recommendation is to not expose the /admin/
path in the proxy. When logging in to the Security Admin Console, however, the browser requests these pages
/admin/master/console/config
/admin/master/console/whoami
/admin/master/console/messages.json?lang=en
/admin/realms?briefRepresentation=true
/admin/realms/master
/admin/realms/master/localization/en
/admin/realms/myrealm
/admin/realms/myrealm/localization/en
/admin/serverinfo
I have a custom realm myrealm, referenced in the above list.
If the proxy does not expose /admin/
or any of those listed paths, how can the login succeed?
It’s recommended to not expose the admin
path to the public (inter)network. If the proxy is your only way to access Keycloak admin ui, you should configure it to be accessible from a trusted/internal network, but not for public access.
Thanks, good advice in general. In my case the entire solution is on an extremely well protected intranet with absolutely no inbound access from the Internet, or even from other subnets in the intranet. The only access to the Keycloak admin UI is from inside this subnet. My question around the documentation remains valid, I believe, since the many redirects and XHR requests during login reference /admin/ endpoints - if these are not visible to the browser, how can login possibly succeed?