HTTP Error 403 after login on new install

Greetings,

I am in need of some experienced keycloak advice, I’ve been trying to troubleshoot this error for a few days now.

I’m setting up a new keycloak instance by way of docker-compose, everything is fine until I go to do the first login to the admin master realm with this URL: https://auth.example.com/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console&origin=https%3A%2F%2Fauth.example.com

It returns an HTTP 403/unauthorized.
The edge proxy IIS 10 seems to be working fine.

The docker-compose.yaml:

version: '3'
services:
  postgres:
    image: postgres:latest
    env_file:
      - ./keycloak-postgres.env
    container_name: keycloak-db
    restart: unless-stopped
    ports:
      - '5432:5432'
    networks:
      - keycloak-network
    volumes:
      - ./user_db:/var/lib/postgresql/data
  keycloak:
    container_name: keycloak
    image: quay.io/keycloak/keycloak:latest
    restart: unless-stopped
    env_file:
      - ./keycloak-postgres.env
    entrypoint: /opt/keycloak/bin/kc.sh -v start
    volumes:
      - ./keycloak_data/:/opt/keycloak/conf/
    ports:
      - 8810:8810
      - 3130:3130
    networks:
      - keycloak-network
    depends_on:
      - postgres
networks:
  keycloak-network:
    driver: bridge

And the keycloak-postgres.env file:

KC_DB=postgres
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=keycloak
KC_DB_SCHEMA=public
KC_DB_URL_DATABASE=keycloak
KC_DB_URL_HOST=postgres
KC_DB_URL_PORT=5432
KC_HOSTNAME=auth.example.com
KC_HOSTNAME_ADMIN=docker-host.localdomain
KC_HOSTNAME_STRICT=false
KC_HTTPS_CLIENT_AUTH=request
KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt.pem
KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key.pem
KC_HTTPS_PORT=3130
KC_HTTP_ENABLED="true"
KC_HTTP_PORT=8810
KC_METRICS_ENABLED=true
KC_PROXY=edge
KC_HOSTNAME_STRICT_BACKCHANNEL=false
KC_HOSTNAME_STRICT_HTTPS=true
KEYCLOAK_ADMIN=Admin
KEYCLOAK_ADMIN_PASSWORD=Admin
PROXY_ADDRESS_FORWARDING=true

POSTGRES_HOST=postgres
POSTGRES_USER=keycloak
POSTGRES_PASSWORD=keycloak
POSTGRES_DB=keycloak

Has anyone seen this before? I’ve messed with probably too many KC_ env variables at this point to see if I could get this to work.
Thanks in advance!

I am also getting this error with a similar docker setup

After coming back to this and troubleshooting some more, it looks like keycloak may have issue with the way iis handles connections. However, that doesn’t seem to get logged, even with -v options.

Flipping settings on/off, might suggest an issue with KC_HOSTNAME_URL.

SOLUTION:
Keycloak is expecting an explicit name in KC_HOSTNAME_URL. Your value in KC_HOSTNAME_URL MUST match what’s in the IIS URL redirect (Typically the IP as IIS doesn’t like to resolve hostnames in forwarding.)

Here’s the snippet that’s changed from my docker-compose:

        PROXY_ADDRESS_FORWARDING: 1
        KEYCLOAK_FRONTEND_URL: https://auth.example.com/
        KC_HOSTNAME_STRICT_BACKCHANNEL: 1
        KC_HOSTNAME_URL: http://192.168.1.227:8080/
        KC_HTTP_ENABLED: 1

This directs you to the http backend URL, but does not help for the 403 auth error.

It seems I have solved the issue and it is completely IIS related.
The fields that you would expect to be replaced such as ‘x-forwarded-for’ are actually named HTTP_X_FORWARDED_PROTO, HTTP_X_FORWARDED_HOST, HTTP_X_FORWARDED_PORT.

You can see how I have it set in the ARR rule below. I’m going to remove the x-forwarded-* entries as they aren’t actually doing anything.

image_2023-04-30_194400506709×589 19.4 KB