The option KC_HOSTNAME_ADMIN does not work

Hi folks,
after upgrading to version 17, I have a problem with configuration. I want to set up access to the admin console only from a private interface (I had the same configuration in keycloak 16.x).
My setup:

  • Keycloak 17 in docker
  • Nginx as a reverse proxy (two domains)
  • Postgresql as backend

My server has got two network interfaces (public and private), two domains keycloak.public.company.cz and keycloak.private.company.cz. Both with SSL via Nginx.

In version 16.x, I had this configuration and all works well.

environment:
   ...
   PROXY_ADDRESS_FORWARDING=true
   KEYCLOAK_ADMIN_URL=https://keycloak.private.company.cz/auth

In version 17.x, I have this configuration:

environment:
   ...
   KC_HOSTNAME: keycloak.public.company.cz 
   KC_HOSTNAME_ADMIN: keycloak.private.company.cz 
   KC_HTTP_ENABLED: "true"   
   KC_PROXY: edge
command: start --auto-build --http-relative-path /auth

Everything works well, except KC_HOSTNAME_ADMIN. When I add this option, the admin console does not work.

The page https://keycloak.private.company.cz/auth/admin/master/console/ shows blank content and every few seconds it reloads itself. In the browser web console, I can not see any problems (all have 200). Only one request ask for a public interface https://keycloak.public.company.cz/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=vmocj.

4 Likes

I have a same problem.
Works with admin2 feature enable. (UPDATE NOT WORKING)

Completely not working with KEYCLOAK_ADMIN_URL

Can we get some help here, please. I think it is literally impossible to configure quarkus keycloak the way it was possible in normal distribution.

I’d like to have following configuration:

  • access admin console through internal IP AND port AND some extra path like /auth e.g. 10.170.20.170:5000/auth (please note that keycloak itself might be running on different port - it’s only 5000 that is exposed by docker)
  • have possibility for internal apps to login through internal IP, just like you could login to admin console
  • have possibility for public apps to login through public IP (with optional extra path) i.e. reverse proxy in edge mode.

I tried every single combination of parameters (–hostname, --hostname-admin, --hostname-path …, …) but it just doesn’t work:

  • sometimes keycloak redirects to “localhost” without port, even though it is running on non 80/443 port
  • sometimes step1.html can’t check sso status because it is blocked by some Content Security Policy
  • some links/config generated still respects “frontendUrl” realm attribute (in a wrong way, because it doesn’t respect port part), even though it is not mentioned anywhere in new quarkus documentation

Before, all of this was easily possible with just setting correct KEYCLOAK_FRONTEND_URL and/or specific frontendUrl per realm.

Same scenario and same error. Someone to help?

For anyone having same/similar issues, I managed to solve my problem by using following arguments:

        '--auto-build',
        '--db=oracle',
        '--http-port=8389',
        '--http-enabled=true',
        '--http-relative-path=/auth',
        '--hostname-strict-https=false',
        '--hostname-strict=false',
        '--proxy=edge'

So, ignore --hostname, --hostname-admin, --hostname-path altogether. Then with existing configuration of frontendUrl per realm (from previous versions) it works how I want it to work - I can access some realms with internal IP, and some with external domain (described above).

My proxy is mapping my.domain.com/auth to /auth in keycloak.

Next time I’m probably not reading new documentation because it brought me a lot of confusion.

I have the same issue:

insert into realm_attribute (name, realm_id, value)
VALUES ('frontendUrl', 'master', KEYCLOAK_ADMIN_URL)

and then restart. This will fix it, but this seems like a bug.