I’m a bit stuck, and I’ll freely admit I’ve managed to avoid Java-related systems for years. So my lack of experience with Java/JBoss/Wildlfy is contributing to my frustration.
I’m testing keycloak as an IdP for basic access/authorization to a backend object storage system and various web apps. Integrating the backend storage is not really an issue, but I was looking to leverage the existing account registration and management features of keycloak so I don’t have to write that myself.
I would like to use Keycloak URLs of a format:
registration: https://auth.example.com/register
login: https://auth.example.com/login
account: https://auth.example.com/manage-account
or something similar. Basically, abstract Keycloak from the URI structure.
My intent was to set up a simple www.example.com site to have links like “Register” and “Login” that simply forward to their respective keycloak pages for registration and login, with something like the URL structure above. Then, the account page template would probably have some simple access info based on the username variable until a more involved application is needed.
Figuring that part out is where I’m stuck.
My test env is HA Proxy doing SSL termination on a public IP, and passing HTTP requests to a private IP that is running a standalone instance of Keycloak. I access the admin console using the internal hostname/IP over VPN.
The Keycloak instance uses a hostname format like auth1.sys.example.com. The externally presented hostname in DNS and the SSL cert is in the format auth.example.com.
If I use the internal hostname (http://auth1.sys.example.com:8080), everything works, everything works, meaning URLs like https://auth1.sys.example.com/auth/realms/Example/account function as expected.
If I configure a frontendURL in the realm settings (not in standalone.xml) to “https://auth.example.com/auth”, everything works similar to the above.
If I try to remove the /auth from the frontendURL (because it’s redundant with auth.example.com), everything breaks.
The pre-configured clients in the realm, such as “account” and “account-console” have Base URLs configured like “http://auth1.sys.example.com:8080/auth/realms/Example/account”, rather than using the new frontendURL configured in the realm.
Ultimately, I’d like to use the existing Keycloak template pages but with a different URL structure. If I try to change the Base URL for the “account” client application, everything breaks (I’m guessing this only changes the client app settings, rather than the included client app itself).
- I suppose I could iframe the account/registration/login URLs.
- I suppose adding a separate proxy instance (eg, Nginx) to proxy_path the URLs instead of just the hostname might work, too.
- I suppose editing the included client apps directly requires modifying the java classes in $KEYCLOAK_DIR/bin/client (or creating new ones with the appropriate changes), but that’s a bit beyond my skill set.
- For self-registration, I could just create a form to collect the username/password and POST it to the API, but I can’t find actual API info on that in the Server Developer docs (or in the Securing Apps docs). The docs show how to secure external apps with OAuth/SAML/etc, but that’s not really what I’m looking to do here.
What’s the best approach here?
Similar topics I checked, but didn’t have answers: