Keycloak quarkus: frontendUrl changing not working

rvanderboom · March 3, 2022, 4:13pm

i have keycloak quarkus running in kubernetes on port http: (nginx in front of with https)…

However all admin templates (like login form) service “http://xxx”
I tried everything to make it https but it doesn’t pick up:
-KEYCLOAK_FRONTEND_URL / KEYCLOAK_ADMIN_URL
-keycloak.frontendUrl with java -D option.
It keeps logging:
g.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: , Strict HTTPS: false, Path: , Strict BackChannel: false, Admin:

No matter what i do…

Don’t understand how to change this.

ssunjic24 · March 4, 2022, 5:33am

Maybe this will help you I had some issues not like you have but with nginx:
Modify in standalone.xml

<http-listener name="default" socket-binding="http" redirect-socket="https" **proxy-address-forwarding="true"** enable-http2="true"/>
<https-listener name="https" socket-binding="https" **proxy-address-forwarding="true"** security-realm="ApplicationRealm" enable-http2="true"/>

rvanderboom · March 4, 2022, 7:01am

Hey,

oo but then i should have asked other question:
In keycloak quarkus, we do not see a standalone or any .xml file in config directory anymore…
Is there another way to put these configuration options , since the only we found out are:

kc.sh --hostname-strict=false --http-enabled=true --hostname-strict-https=false

(ps: if testing everhing on http everyting works fine)

bpedersen2 · March 4, 2022, 7:26am

There is a setting for proxy in keycloak-x:

github.com

keycloak/keycloak-community/blob/main/design/keycloak.x/configuration.md#proxy-mode

# Keycloak.X Server Configuration

* **Status**: Draft #2

## Principles

Keycloak.X should be configured through the different configuration options available.

Configuration options can be set using different formats: command-line arguments, environment variables, or a properties file. 

All configuration options are available in all different formats:

Command-line arguments:

    kc.[sh|bat] --<category>-<sub-category>-<property>=<value>
    
Environment variables:

    export KC_CATEGORY_SUB_CATEGORY_PROPERTY=<value>
    kc.[sh|bat]

This file has been truncated. show original

You want to set it to edge

rvanderboom · March 4, 2022, 1:10pm

thanks, this helps,
Now already that far that with 1 pod admin login is working.
only with 2 pods i get endless redirects because of a login_error, well at least one step futher, thanks…

Locally with 2 pods its ok, so must have something todo with settings…

rvanderboom · March 4, 2022, 3:21pm

Update about to many redirects, it looks like this issue:

http://localhost:8091/q/metrics/application

github.com/codecentric/helm-charts

Too many redirects when replicas is set to more than one

opened 09:56AM - 03 May 19 UTC

closed 12:37PM - 17 May 19 UTC

hichamuntitled

Hello, I am trying to deploy keycloak using Mysql, the charts works just fine… when replica is set to 1, but it doesn't work when it's greater than 1 (eg: 2 or 3). Actually I can see the main athentication page, but once I clic on "Log In" I get **ERR_TOO_MANY_REDIRECTS** error. On logs I am getting on every pod : ``` 09:41:53,225 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true 09:41:53,351 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true 09:41:53,480 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true 09:42:45,412 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:42:45,672 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:42:45,789 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:42:45,907 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:42:46,215 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:42:46,336 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:46:57,976 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:46:58,137 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:46:58,256 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:46:58,375 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:46:58,499 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:46:58,931 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true 09:46:59,108 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true ``` I tried to add ``` extraEnv: | - name: PROXY_ADDRESS_FORWARDING value: "true" ``` But I am still having the same issue. Is there any ideas to resolve this? Thank you !

however i did set the env:
env:
- name: PROXY_ADDRESS_FORWARDING
value: “true”

and it shows up also on the pod when getting env list.

Is there another way in keycloka quarkus setting this ?
Also tried to debug, and it looks like with 2 pods, there first is successfull login, but then somewhere it doesn’t find the usersession anymore in infinispan…

So i wonder if there need to be specfic settings for this too…
There really is not a manual, how to migrate from old to new, like check, these settings, configure cache, do this… It looks like just trial-and-error method :-<

rvanderboom · March 4, 2022, 7:40pm

update, yes to many redirects was caused by not setting infinispan to “kubernetes” with KC_CACHE_STACK.

without this session are not distributed across the nodes , ending up in login_error and expired_session.

the PROXY_ADDRESS_FORWARDING doesn’t seem to do anything false or true is the same, removed this setting

Topic		Replies	Views
Frontend- and backendurls published in well-known/openid-configuration Configuring the server	0	337	November 25, 2022
The option KC_HOSTNAME_ADMIN does not work Configuring the server admin-console	8	14964	April 2, 2024
Keycloak 18 quarkus and haproxy Getting advice	0	651	May 25, 2022
KeyCloak 18.0 Quarkus behind F5 Configuring the server	8	1554	May 28, 2022
Blocking the keycloak admin URL exposed to internet Configuring the server admin-console , authentication	9	5720	May 23, 2023

Keycloak quarkus: frontendUrl changing not working

Related Topics