Hi,

I’m currently working on a project integrating Keycloak with mysql deployed on azure vm using terraform. But somehow my admin console keeps on loading.

FROM quay.io/keycloak/keycloak:21.1.1

CMD [ "start-dev" ]

WORKDIR /opt/keycloak

EXPOSE 8080

ENV KEYCLOAK_ADMIN=Root
ENV KEYCLOAK_ADMIN_PASSWORD=sheep
ENV KC_DB=mysql
ENV KC_DB_USERNAME=root
ENV KC_DB_PASSWORD=sheep

ENV KC_HOSTNAME=20.84.86.27
ENV KC_DB_URL=jdbc:mysql://10.0.0.4:3306/Keycloakdb
ENV KC_HTTP_ENABLED=True
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_PROXY=edge
ENV KC_LOG=console 
ENV PROXY_ADDRESS_FORWARDING=true

The error message I’m having on my console is

error

“Timeout when waiting for 3rd party check iframe message.”
[[Prototype]].

Any suggestions on what could be wrong here?

are you access keycloak via ip in

and port 80 ?
you could set hostname-admin-url

Set the base URL for accessing the administration console, including scheme, host, port and path

CLI: --hostname-admin-url
Env: KC_HOSTNAME_ADMIN_URL

bin/kc.[sh|bat] start --hostname-admin-url=<scheme>://<host>:<port>/<path>

check Configuring the hostname - Keycloak

Hey @elsawy Thanks for pointing this out. I have changed my config and I’m able to access the admin console but for some reason it still requires https. Any suggestions on that?

FROM quay.io/keycloak/keycloak:21.1.1

CMD [ "start-dev" ]

WORKDIR /opt/keycloak

EXPOSE 8080

ENV KEYCLOAK_ADMIN=Root
ENV KEYCLOAK_ADMIN_PASSWORD=sheep
ENV KC_DB=mysql
ENV KC_DB_USERNAME=root
ENV KC_DB_PASSWORD=sheep
![Screenshot 2023-05-15 at 3.04.45 PM|690x365](upload://tfashGKXKxL0eOBcxLXMiLWyabJ.jpeg)

ENV KC_HOSTNAME=20.84.86.27
# ENV KC_HOSTNAME_ADMIN_URL=http://20.84.86.27:8080/auth/
ENV KC_DB_URL=jdbc:mysql://10.0.0.4:3306/Keycloakdb
ENV KC_HTTP_ENABLED=true
# ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_PROXY=edge
ENV KC_LOG=console
# ENV PROXY_ADDRESS_FORWARDING=true
ENV KC_HOSTNAME_PORT=8080

Hey,

I have resolved this myself using this https://stackoverflow.com/questions/49859066/keycloak-docker-https-required/49874353#49874353 My updated dockerfile is shared below in case someone is facing similar issues.

FROM quay.io/keycloak/keycloak:21.1.1

CMD [ "start-dev" ]

WORKDIR /opt/keycloak

EXPOSE 8443

ENV KEYCLOAK_ADMIN=Root
ENV KEYCLOAK_ADMIN_PASSWORD=sheep
ENV KC_DB=mysql
ENV KC_DB_USERNAME=root
ENV KC_DB_PASSWORD=sheep

ENV KC_HOSTNAME=Public IPV4
# ENV KC_HOSTNAME_ADMIN_URL=http://20.84.86.27:8080/auth/
ENV KC_DB_URL=jdbc:mysql://InternalVM IP:3306/Keycloakdb
#ENV KC_HTTP_ENABLED=true
#ENV KC_HOSTNAME_STRICT=false
#ENV KC_HOSTNAME_STRICT_HTTPS=false
#ENV KC_PROXY=edge
ENV KC_LOG=console 
# ENV PROXY_ADDRESS_FORWARDING=true
# ENV KC_HOSTNAME_PORT=8443

ENV KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt.pem
ENV KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key.pem
#ENV KC_HOSTNAME_PORT=8443

COPY server.crt.pem /opt/keycloak/conf/server.crt.pem
COPY server.key.pem /opt/keycloak/conf/server.key.pem

Hi, I have facing similar issue and I have solved in same way as your, with certificate.pem and copy of them in the dockerfile. But when I run docker container with start option (production mode) I have Timeout when waiting for 3rd party check iframe message error on the browser console, any idea?
Also, I have a record dns for hiding my private ip of an aws ec2 instance and application load balancer, but I can access the main page of keycloak only when I type https://my-ec2-private-ip:443 but when I use record dns I have a 502 bad gateway, I don’t know if the proxy can be the problem

Hello,
I am having the same problem without the Docker container. My Admin console will not come up and just keeps spinning. I am running KC 22.0.3 with a reverse proxy, SSL, postgresql, Ubuntu and a server on AWS. I must have something incorrectly configured and maybe it is obvious?

Commands
./kc.sh build
./kc.sh start --hostname-debug=true

Keycloak.conf File:

The database vendor.

db=postgres
db-username=postgres
db-password=DBPassword

The full database JDBC URL.

db-url=jdbc:postgresql://localhost:5432/postgres

If the server should expose healthcheck endpoints.

health-enabled=true

The file path to a server certificate or certificate chain in PEM format.

https-certificate-file=/etc/letsencrypt/live/dev.acme.com/cert.pem

The file path to a private key in PEM format.

https-certificate-key-file=/etc/letsencrypt/archive/dev.acme.com/privkey13.pem

The proxy address forwarding mode if the server is behind a reverse proxy.

proxy=edge

Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy

#spi-sticky-session-encoder-infinispan-should-attach-route=false

https-key-store-file=/home/ubuntu/keycloak-22.0.3/keycloak.keys
https-keystore-password=KCKeystorePassword

https-protocols=TLSv1.3,TLSv1.2
https-trust-store-password=TruststorePassword
https-trust-store-file=/home/ubuntu/keycloak-22.0.3/server.trust

http-enabled=true
hostname-url=https://dev.acme.com:8443

From Log Output:
INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: https://dev.acme.com:8443, Hostname:dev.acme.com, Strict HTTPS: true, Path: /, Strict BackChannel: false, Admin URL: , Admin: , Port: 8443, Proxied: true
WARN [io.quarkus.agroal.runtime.DataSources] (main) Datasource enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller ‘org.infinispan.jboss.marshalling.core.JBossUserMarshaller’
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel ISPN
INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 481efbd4-d96f-4687-9723-9867b263facc, name: ip-10-0-0-241-50180
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on .28173
WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded- and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) ip-10-0-0-241-50180: no members discovered after 2003 ms: creating cluster as coordinator
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [ip-10-0-0-241-50180|0] (1) [ip-10-0-0-241-50180]
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel ISPN local address is ip-10-0-0-241-50180, physical addresses are [10.0.0.241:43709]
WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: ip-10-0-0-241-50180, Site name: null
INFO [io.quarkus] (main) Keycloak 22.0.3 on JVM (powered by Quarkus 3.2.5.Final) started in 12.878s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
INFO [io.quarkus] (main) Profile prod activated.
INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, vertx]

Was this issue ever resolved? I’m having it too. It’s a bit serious. Don’t want to expose the admin console to random traffic from the outside (URLs has been obfuscated both to hide actual external ip addresses, and to circumvent the “no more than two URLs per post” limitation of the tool used to post this message).

 auth:
    image: quay.io/keycloak/keycloak:23.0.3
    ports:
      - "8080:8080"
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=somethingsecret
      - KC_HOSTNAME_ADMIN_URL=http://localhost:8080/
      - KC_HOSTNAME_DEBUG=true
      - KC_PROXY=edge
      - KC_HOSTNAME=somewhere
      - KC_METRICS_ENABLED=true
      - KC_HEALTH_ENABLED=true
      - KC_DB=postgres
      - KC_DB_PASSWORD=password
      - KC_DB_SCHEMA=public
      - KC_DB_USERNAME=keycloak
      - KC_DB_URL_HOST=postgres
      - KC_DB_URL_DATABASE=keycloak
      - KC_LOG_LEVEL=DEBUG
    depends_on:
      - postgres
    command:
      - start
    volumes:
      - ./auth/import:/opt/keycloak/data/import
    networks:
      - backend

This umbrella issue might(!) help, as it contains several approaches on how to solve this: Admin console not loading and hostname related issues · Issue #14666 · keycloak/keycloak · GitHub