One domain per realm, disabling unrelated keycloak pages

1

Hello everyone,

I would like to use keycloak for multiple projects, eg:

  • www.project1. com
  • www.project2. com

and map auth.proejct*.com to keycloak.

So far I’ve just changed the DNS records to have them all point to keycloak, however when going to the root of the auth domain (e.g. auth.project1.com) I see the keycloak page showing the administrative login link.
I would like to know:

  1. is it possible to have only the minimum necessary endpoints available for a specific domain so that the user won’t be able to see the keycloak page with links to the documentation or the admin login?
  2. is it possible to not show the /realms/ in the url since the domain already refers to that specific domain?

I’m trying to do this to have a mostly “whitelabel” experience

2

Just as an update, I saw that I need to use these two things:

  • use https://www.keycloak.org/docs/latest/server_installation/#default-provider to set forceBackendUrlToFrontendUrl to true, I’ve tried (I’m using the helm chart) to put /subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.forceBackendUrlToFrontendUrl,value="true") in the custom cli config, but nothing changed
  • use adminUrl setting to set which is the url for the admin page, I’ve tried to add the argument -Dkeycloak.adminUrl=https://keycloak.companywebsite.com but nothing changes as all the admin.project*.com websites still show the welcome page and link to the admin login

Update: first section actually worked, tried also with:-Dkeycloak.hostname.default.forceBackendUrlToFrontendUrl=true and it works using the custom arg as well!

3

Hi @alex88,

I’m looking into a similar thing - so to get this to work did you need to also set up a reverse proxy to get rid of /realms/{realm}/ etc. when logging in - or do you literally just need to set the environment variable -Dkeycloak.hostname.default.forceBackendUrlToFrontendUrl=true and then set the custom domain pointing to the Keycloak IP eg. auth.myproject1.example, and then set this custom domain in the realm config page, and that will automatically set up the correct /realms/myproject1/ in the URI?

4

I’ve ended up with the environment variable, that was enough for our use case, however for the welcome page I had to use a custom template

5

Actually, without that /auth/ portion the authentication breaks, at least when I set the frontend url to https://auth.mydomain.com it removes the first /auth/ segment and the openid library tries to get the openid configuration json without the auth segment which returns a 404. The frontend url needs to be set to https://auth.mydomain.com/auth to work.
Man this is absolutely counter-intuitive