I have deployed an instance of keycloack (with this chart keycloak 15.1.0 · codecentric/codecentric) in my kubernetes cluster, and it is running behind a reverse-proxy kubernetes ingress.
If I send a request to https://{host}/auth/realms/master/.well-known/openid-configuration to check the config, it’s almost ok, except that all the urls have an added port 80
e.g.
issuer: “https://{host}:80/auth/realms/master”
I have the same problem, doesn’t matter what I do I can’t find anything that will change the port to anything else, seems the problem is if keycloak doesn’t do https termination itself it forces port 80? something like that.
You have to set approptiate KC_HOSTNAME for the keycloak to know your external hostname to redirect to. Also set KC_PROXY to edge. This is how it works for me
You seem to be using Kubernetes. The nginx ingress controller will set X-Forwarded-Host, X-Forwarded-Proto and X-Forwarded-Port so keycloak knows it behind a reverse proxy and can build the external url for the openid connect endpoints.
Problem is: if you have another reverse proxy in front of your nginx ingress controller, out of the box nginx will rewrite those headers sent by the first proxy and the information is lost.
CAREFUL: that configuration should only be activated if you really have another proxy in front of your nginx ingress. If not, nginx will trust those headers and a malicious user can set them.
You don’t need the nginx.ingress.kubernetes.io/configuration-snippet because nginx already set those headers.
I may suggest you to use a debug pod like daime/http-dump:latest instead of keycloak to see if the headers are correct. http-dump will dump the request it received from the nginx controller so you can inspect it.
Check if all X-Forwarded-XXXX headers are correctly set.
[quote=“RbBrDkie, post:10, topic:11808”]
I added back the snippet to set the port then it duplicates the port header which is why it didn’t work I guess