Currently I’m running keycloak 18 in a OKD Cluster and I have set a frontend URL to access a realm and one client. But then I have a microservice that I want to access keycloak only in the cluster internally. All works fine, up until one point when the keycloak adapter somehow magically change form the keycloak internal URL to the public URL.
Looking into the adapter auth-server-url, I see that this is generated with the public URL and I think that’s the reason it changes the URL. Is there a way to force to use the internal URL for this client?
I’m already using --hostname-strict-backchannel=false is there any other setting that I am missing?
Thanks
Cloud you explain better your use case?
- Are you using OpenID Connect or SAML?
- Does the client need to serve clients using an ingress ou load balancer? That is clients outside the cluster?
auth-server-url is set by you in the adapter configuration. So, if you need to serve clients (browsers) outside the cluster, they need to be redirected to the “public” keycloak interface.
I believe there is no way to tell the adapter to redirect clients to one url keycloak and use another for itself when it needs to talk to keycloak (as in the OIDC flow).
If you only serve clients inside the cluster, you can just set auth-server-url to keycloak ClusterIP service.
I have a hunch that maybe you are trying to protect Keycloak by only exposing URL needed by the external clients. If that is the case, you can just map those URL in you Ingress to the default http backend. URLs like /admin/
Hi,
we are using OIDC and in front of our cluster we have a proxy that sends all the traffic to our publicURL (route) in our OKD cluster where the keycloak is pointing.
Keycloak is configured with the hostname of the cluster URL (internal URL), but has the frontend URL set to the public URL. In auth-server-url then is shown the frontendURL (int the tab where one can generate a JSON file for the adapter). But the communication should not get outside the cluster or call the public URL.
On the MS (microservice) the auth-server-url is set to point to the internal URL - just to be clear.
So I actually set the internal URL in the MS, where it can access keycloak and it does that, but at some point of time after some requests / when it checks the well known config, it switches to the public url.