Hello all,
we are currently working on publishing a keycloak based IdP securely on the internet. Now we have come across some problems when exposing the admin UI.
We are using two different mechanisms to expose the “Normal” keycloak Endpoints for our custom realm and another to expose the admin pages.
The normal domain is keycloak.domain.com, this endpoint does only expose the required endpoints for our realm, the master realm is not exposed.
The admin domain is admin.domain.com, this is done via cloudflare tunnels and cloudflare access and there are no restrictions on the exposed paths, so through this, the master realm is accessible.
We have set hostname-strict=false, KC_HOSTNAME and KC_HOSTNAME_ADMIN_URL respectively, but now when we try to access the admin UI, keycloak is trying to also access keycloak[DOT]example[DOT]com/realms/master/protocol/openid-connect/3p-cookies/step1.html, which is the normal domain, which does not expose this path.
We would expect this path to be loaded under the KC_HOSTNAME_ADMIN_URL, where it is accessible.
When we didnt set the KC_HOSTNAME and KC_HOSTNAME_ADMIN_URL, it worked fine, but now it doesnt, how can we fix that?
You have to set the frontend URL parameter of the master realm with the same value as KC_HOSTNAME_ADMIN_URL. Then it should work as expected.