I’m building a greenfield application, and am considering using KC 17 Quarkus as the auth provider. I’ve used KC 15 in the past, and it’s really worked well.
I’m having some trouble with 17. In the past, I’ve set up my KC 15 instances behind a reverse proxy. The proxy would terminate SSL and use http to talk to the instances. This meant that the instances would only use http, which made them easier to configure and use. It was the best of both worlds IMO.
However, KC 17 doesn’t appear to expose the admin endpoints via http, even when the server is correctly configured with KC_PROXY=edge. This means that 1) my reverse proxy has to speak https to my KC 17 instances, which is a hassle, and 2) I have to configure SSL certs in my KC 17 instances even though the only way to get to them is through the proxy. It’s a hassle and it’s needless.
Is there a way to disable https, period? KC 15 allowed me to do it for all endpoints, including the admin console. I would like to do the same for KC 17, since all my instances will be behind my proxy unreachable in any other way.
I think you may want KC_HTTP_ENABLED=true. (based on the description here: Keycloak - Server - All configuration) It doesn’t sound like it will disable https but it will at least enable http.
Setting —proxy=edge opens the HTTP port on Keycloak and there is no encryption needed between your reverse proxy and the Keycloak instances. But your reverse proxy needs to handle all the https/tls termination from the users browser requests, then, no https redirect is being sent.
Complete http-only in a reverse proxy scenario is only possible with Keycloak being stated in dev mode.
Adding KC_HOSTNAME_STRICT_HTTPS=false worked. It’s a shame that it’s not mentioned in the docs, because there’s a legitimate use case for disabling HTTP.