Keycloak 21.1.1 Stuck on Loading Admin UI screen

Hi,

I’m currently working on a project integrating Keycloak with mysql deployed on azure vm using terraform. But somehow my admin console keeps on loading.

FROM quay.io/keycloak/keycloak:21.1.1

CMD [ "start-dev" ]

WORKDIR /opt/keycloak

EXPOSE 8080

ENV KEYCLOAK_ADMIN=Root
ENV KEYCLOAK_ADMIN_PASSWORD=sheep
ENV KC_DB=mysql
ENV KC_DB_USERNAME=root
ENV KC_DB_PASSWORD=sheep

ENV KC_HOSTNAME=20.84.86.27
ENV KC_DB_URL=jdbc:mysql://10.0.0.4:3306/Keycloakdb
ENV KC_HTTP_ENABLED=True
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_PROXY=edge
ENV KC_LOG=console 
ENV PROXY_ADDRESS_FORWARDING=true

The error message I’m having on my console is

error

“Timeout when waiting for 3rd party check iframe message.”
[[Prototype]].

Any suggestions on what could be wrong here?

are you access keycloak via ip in

and port 80 ?
you could set hostname-admin-url

Set the base URL for accessing the administration console, including scheme, host, port and path

CLI: --hostname-admin-url
Env: KC_HOSTNAME_ADMIN_URL

bin/kc.[sh|bat] start --hostname-admin-url=<scheme>://<host>:<port>/<path>

check Configuring the hostname - Keycloak

Hey @elsawy Thanks for pointing this out. I have changed my config and I’m able to access the admin console but for some reason it still requires https. Any suggestions on that?

FROM quay.io/keycloak/keycloak:21.1.1

CMD [ "start-dev" ]

WORKDIR /opt/keycloak

EXPOSE 8080

ENV KEYCLOAK_ADMIN=Root
ENV KEYCLOAK_ADMIN_PASSWORD=sheep
ENV KC_DB=mysql
ENV KC_DB_USERNAME=root
ENV KC_DB_PASSWORD=sheep
![Screenshot 2023-05-15 at 3.04.45 PM|690x365](upload://tfashGKXKxL0eOBcxLXMiLWyabJ.jpeg)

ENV KC_HOSTNAME=20.84.86.27
# ENV KC_HOSTNAME_ADMIN_URL=http://20.84.86.27:8080/auth/
ENV KC_DB_URL=jdbc:mysql://10.0.0.4:3306/Keycloakdb
ENV KC_HTTP_ENABLED=true
# ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_PROXY=edge
ENV KC_LOG=console
# ENV PROXY_ADDRESS_FORWARDING=true
ENV KC_HOSTNAME_PORT=8080

Hey,

I have resolved this myself using this https://stackoverflow.com/questions/49859066/keycloak-docker-https-required/49874353#49874353 My updated dockerfile is shared below in case someone is facing similar issues.

FROM quay.io/keycloak/keycloak:21.1.1

CMD [ "start-dev" ]

WORKDIR /opt/keycloak

EXPOSE 8443

ENV KEYCLOAK_ADMIN=Root
ENV KEYCLOAK_ADMIN_PASSWORD=sheep
ENV KC_DB=mysql
ENV KC_DB_USERNAME=root
ENV KC_DB_PASSWORD=sheep

ENV KC_HOSTNAME=Public IPV4
# ENV KC_HOSTNAME_ADMIN_URL=http://20.84.86.27:8080/auth/
ENV KC_DB_URL=jdbc:mysql://InternalVM IP:3306/Keycloakdb
#ENV KC_HTTP_ENABLED=true
#ENV KC_HOSTNAME_STRICT=false
#ENV KC_HOSTNAME_STRICT_HTTPS=false
#ENV KC_PROXY=edge
ENV KC_LOG=console 
# ENV PROXY_ADDRESS_FORWARDING=true
# ENV KC_HOSTNAME_PORT=8443

ENV KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt.pem
ENV KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key.pem
#ENV KC_HOSTNAME_PORT=8443

COPY server.crt.pem /opt/keycloak/conf/server.crt.pem
COPY server.key.pem /opt/keycloak/conf/server.key.pem

Hi, I have facing similar issue and I have solved in same way as your, with certificate.pem and copy of them in the dockerfile. But when I run docker container with start option (production mode) I have Timeout when waiting for 3rd party check iframe message error on the browser console, any idea?
Also, I have a record dns for hiding my private ip of an aws ec2 instance and application load balancer, but I can access the main page of keycloak only when I type https://my-ec2-private-ip:443 but when I use record dns I have a 502 bad gateway, I don’t know if the proxy can be the problem

Hello,
I am having the same problem without the Docker container. My Admin console will not come up and just keeps spinning. I am running KC 22.0.3 with a reverse proxy, SSL, postgresql, Ubuntu and a server on AWS. I must have something incorrectly configured and maybe it is obvious?

Commands
./kc.sh build
./kc.sh start --hostname-debug=true

Keycloak.conf File:

The database vendor.

db=postgres
db-username=postgres
db-password=DBPassword

The full database JDBC URL.

db-url=jdbc:postgresql://localhost:5432/postgres

If the server should expose healthcheck endpoints.

health-enabled=true

The file path to a server certificate or certificate chain in PEM format.

https-certificate-file=/etc/letsencrypt/live/dev.acme.com/cert.pem

The file path to a private key in PEM format.

https-certificate-key-file=/etc/letsencrypt/archive/dev.acme.com/privkey13.pem

The proxy address forwarding mode if the server is behind a reverse proxy.

proxy=edge

Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy

#spi-sticky-session-encoder-infinispan-should-attach-route=false

https-key-store-file=/home/ubuntu/keycloak-22.0.3/keycloak.keys
https-keystore-password=KCKeystorePassword

https-protocols=TLSv1.3,TLSv1.2
https-trust-store-password=TruststorePassword
https-trust-store-file=/home/ubuntu/keycloak-22.0.3/server.trust

http-enabled=true
hostname-url=https://dev.acme.com:8443

From Log Output:
INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: https://dev.acme.com:8443, Hostname:dev.acme.com, Strict HTTPS: true, Path: /, Strict BackChannel: false, Admin URL: , Admin: , Port: 8443, Proxied: true
WARN [io.quarkus.agroal.runtime.DataSources] (main) Datasource enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller ‘org.infinispan.jboss.marshalling.core.JBossUserMarshaller’
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel ISPN
INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 481efbd4-d96f-4687-9723-9867b263facc, name: ip-10-0-0-241-50180
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on .28173
WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-
and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) ip-10-0-0-241-50180: no members discovered after 2003 ms: creating cluster as coordinator
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [ip-10-0-0-241-50180|0] (1) [ip-10-0-0-241-50180]
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel ISPN local address is ip-10-0-0-241-50180, physical addresses are [10.0.0.241:43709]
WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: ip-10-0-0-241-50180, Site name: null
INFO [io.quarkus] (main) Keycloak 22.0.3 on JVM (powered by Quarkus 3.2.5.Final) started in 12.878s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
INFO [io.quarkus] (main) Profile prod activated.
INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, vertx]