KC 17 Quarkus: how to disable https for /admin endpoints

Hello,

I’m building a greenfield application, and am considering using KC 17 Quarkus as the auth provider. I’ve used KC 15 in the past, and it’s really worked well.

I’m having some trouble with 17. In the past, I’ve set up my KC 15 instances behind a reverse proxy. The proxy would terminate SSL and use http to talk to the instances. This meant that the instances would only use http, which made them easier to configure and use. It was the best of both worlds IMO.

However, KC 17 doesn’t appear to expose the admin endpoints via http, even when the server is correctly configured with KC_PROXY=edge. This means that 1) my reverse proxy has to speak https to my KC 17 instances, which is a hassle, and 2) I have to configure SSL certs in my KC 17 instances even though the only way to get to them is through the proxy. It’s a hassle and it’s needless.

Is there a way to disable https, period? KC 15 allowed me to do it for all endpoints, including the admin console. I would like to do the same for KC 17, since all my instances will be behind my proxy unreachable in any other way.

I think you may want KC_HTTP_ENABLED=true. (based on the description here: Keycloak - Server - All configuration) It doesn’t sound like it will disable https but it will at least enable http.

I tried that option as well, with the same result. All my http calls to the /admin/* endpoints were redirected to https.

Setting —proxy=edge opens the HTTP port on Keycloak and there is no encryption needed between your reverse proxy and the Keycloak instances. But your reverse proxy needs to handle all the https/tls termination from the users browser requests, then, no https redirect is being sent.
Complete http-only in a reverse proxy scenario is only possible with Keycloak being stated in dev mode.

While setting KC_PROXY=edge will open the HTTP port on Keycloak, I found that any links on the admin UI were still HTTPS.

Using KC_HOSTNAME_STRICT_HTTPS=false disabled that behaviour.

e.g. Dockerfile:

FROM quay.io/keycloak/keycloak:17.0.0 as builder
ENV KC_METRICS_ENABLED=true
ENV KC_HTTP_RELATIVE_PATH=/auth
ENV KC_FEATURES=token-exchange
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:17.0.0
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
WORKDIR /opt/keycloak
ENV KC_LOG_LEVEL=INFO

ENV KC_PROXY=edge
# ENV KC_HTTP_ENABLED=true        # superfluous since included in proxy=edge
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
1 Like

Adding KC_HOSTNAME_STRICT_HTTPS=false worked. It’s a shame that it’s not mentioned in the docs, because there’s a legitimate use case for disabling HTTP.

Many thanks!

1 Like