Keycloak 17.0.1 Admin console on Edge mode

I’ve migrated from Keycloak 17.0.0 into 17.0.1 with the exact same configuration and now I can’t access the admin interface since it is working on edge mode and keycloak is redirecting to local hostname which is not known publicly.

I’m working with:

ENV KC_HOSTNAME_STRICT_BACKCHANNEL=true
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_HTTP_ENABLED=true
ENV KC_PROXY=edge

at building time, and with

KC_HOSTNAME=${MY_VM_NAME}:${PORT}

at the compose file for test environment.

I’ve also tried to add this environment
KC_HOSTNAME_ADMIN=${MY_VM_NAME}:${PORT}
but it had no effect.

the .well-known/openid-configuration still presents the same values on both cases, so apparently only the admin is not reacheable.

Does 17.0.1 presumes a different configuration to access the admin console?

According to changes introduced here: Fixes to hostname by pedroigor · Pull Request #10820 · keycloak/keycloak · GitHub
I’ve also tried with:

    - KC_HOSTNAME=${HOSTNAME}
    - KC_HOSTNAME_PORT=${GATEWAY_PORT}

and no KC_HOSTNAME_ADMIN.

The result being the same, that I got redirected into the local container name instead of specified hostname.

Just to be sure I’ve already ensured that my gateway is providing the x-forwarded headers properly:

    Forwarded: proto=http;host="<myHost>:<myPort>";for="10.89.0.55:53190"
    X-Forwarded-For: 10.89.0.55
    X-Forwarded-Proto: http
    X-Forwarded-Port: <myPort>
    X-Forwarded-Host: <myHost>:<myPort>

Am I doing something wrong, or could this be a bug for 17.0.1?
Thanks for support.

I am using Keycloak 17.0.1 in ‘edge’ mode, without any issues.
The only env parameter I used is the KC_HOSTNAME.
Are you sure your reverse proxy passes the right http headers?
I use the admin console over https, so X-Forwarded-Proto is set to: https.

hi @joerijansen ,

you may check the discussion here: [KC 17.0.1] with (httpd) reverse proxy does not consider X-Forwarded-For headers for resources in account-console · Issue #10997 · keycloak/keycloak · GitHub
Have you configured the quarkus.http.proxy.enable-forwarded-host=true in the conf/quarkus.properties file so that the x-forward headers are used?

is it possible that somehow your keycloak is reachable directly? (not going through the reverse proxy hostname)

I experience exactly the same issue. Keycloak with KC_PROXY=edge. Admin console is loaded fine in 17.0.0 but does not load on 17.0.1.

… and as @joerijansen pointed out, it turns out in 17.0.1 it is important to pass the right http headers. I have fixed the issue setting --entryPoints.web.forwardedHeaders.trustedIPs=XXX properly in Traefik.

For me. KC 17.0.0 was working fine with edge mode without proper “X-Forwarded-Scheme” and “X-Scheme” headers (both were set to http. set by AWS ELB with TLS termination). Starting from KC17.0.1 keycloak started giving mixed content error “jquery.min.js:2 Uncaught ReferenceError: Keycloak is not defined”. Setting both of these headers to https fixed my issue. I had to use nginx custom template to do that.