after upgrading to version 17, I have a problem with configuration. I want to set up access to the admin console only from a private interface (I had the same configuration in keycloak 16.x).
Keycloak 17 in docker
Nginx as a reverse proxy (two domains)
Postgresql as backend
My server has got two network interfaces (public and private), two domains keycloak.public.company.cz and keycloak.private.company.cz. Both with SSL via Nginx.
In version 16.x, I had this configuration and all works well.
Everything works well, except KC_HOSTNAME_ADMIN. When I add this option, the admin console does not work.
The page https://keycloak.private.company.cz/auth/admin/master/console/ shows blank content and every few seconds it reloads itself. In the browser web console, I can not see any problems (all have 200). Only one request ask for a public interface https://keycloak.public.company.cz/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=vmocj.
Can we get some help here, please. I think it is literally impossible to configure quarkus keycloak the way it was possible in normal distribution.
I’d like to have following configuration:
access admin console through internal IP AND port AND some extra path like /auth e.g. 10.170.20.170:5000/auth (please note that keycloak itself might be running on different port - it’s only 5000 that is exposed by docker)
have possibility for internal apps to login through internal IP, just like you could login to admin console
have possibility for public apps to login through public IP (with optional extra path) i.e. reverse proxy in edge mode.
I tried every single combination of parameters (–hostname, --hostname-admin, --hostname-path …, …) but it just doesn’t work:
sometimes keycloak redirects to “localhost” without port, even though it is running on non 80/443 port
sometimes step1.html can’t check sso status because it is blocked by some Content Security Policy
some links/config generated still respects “frontendUrl” realm attribute (in a wrong way, because it doesn’t respect port part), even though it is not mentioned anywhere in new quarkus documentation
Before, all of this was easily possible with just setting correct KEYCLOAK_FRONTEND_URL and/or specific frontendUrl per realm.
So, ignore --hostname, --hostname-admin, --hostname-path altogether. Then with existing configuration of frontendUrl per realm (from previous versions) it works how I want it to work - I can access some realms with internal IP, and some with external domain (described above).
Hi! I have the same problem with --hostname-admin on Keycloak 19.0.1 (Quarkus), but the same config works fine on 18.0.2 (Quarkus)
I use different domain names for admin console (–hostname-admin=keycloak.domain.com) and keycloak server frontend url (–hostname=auth.domain.com)
Version 19.0.1 ignores --hostname-admin for some url, for exampale admin2 console try to connect to whoami and serverinfo on --hostname=auth instead --hostname-admin=keycloak
Admin Console doesnt’d load, there are cors errors in chrome console - network for whoami and serverinfo urls