frontendUrl and adminUrl - how to restrict admin console to internal IP only?

We have keycloak behind reverse proxy. Now I would like admin console to only be accessible by internal IP (as suggested in the docs). So we set following variables when starting keycloak (sorry for the blank spaces - can’t paste links):

frontendUrl = https :// my . reverse-proxy . org /auth
adminUrl = http :// 10.10.10.10 :8888 /auth
proxy_address_forwarding = true (using docker image if it matters)

When starting keycloak, logs show that variables are correctly set:
[org.keycloak.url.DefaultHostnameProviderFactory] Frontend: https :// my . reverse-proxy . org /auth, Admin: http :// 10.10.10.10 :8888 /auth, Backend: request

However in this setup, when I navigate to http :// 10.10.10.10 :8888 /auth/admin, I am redirected to https :// my . reverse-proxy. org /auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=http :// 10.10.10.10: 8888 /auth/admin/master/console&…

How do I tell keycloak that I should be redirected to internal IP, and not the configured frontendUrl? Feels like I’m missing something, but I tried every single combination and still out of luck.

1 Like

I had to also set “frontend URL” variable for master realm. This way you get redirected to IP when accessing admin console.
You can set it using admin CLI or admin console:

/opt/jboss/keycloak/bin/./kcadm.sh update realms/master -s attributes.frontendUrl=“http://10.10.10.10:8888/auth