Two Keycloaks on local machine to test brokering

I am trying to test a scenario of 2 keycloaks where one is identity provider for the other, but I keep getting a 502 error with both them on localhost… is it possible?

Here is my simple testcase:

docker-compose.yml

services:
  keycloak1:
    image: "quay.io/keycloak/keycloak:latest"
    ports:
      - "1234:8080"
    environment:
      KEYCLOAK_USER: admin1
      KEYCLOAK_PASSWORD: admin
  keycloak2:
    image: "quay.io/keycloak/keycloak:latest"
    ports:
      - "4321:8080"
    environment:
      KEYCLOAK_USER: admin2
      KEYCLOAK_PASSWORD: admin

Since I am a new user, I cant post pictures, I will describe the steps textually, for a more visual bug report see here Keycloak Discourse Bug Report · Issue #9 · stenagam/demo-federated-module-login · GitHub

Keycloak 1 (http://localhost:1234 )

  • new realm named realm_a
  • user registration enabled, SSL disabled
  • new client named keycloak2
    • access type: confidential
    • wildcards on Valid Redirect URIs and Web Origins:
      • Valid Redirect URIs: http://localhost:4321/*
      • Web Origins: *
    • client secret copied from “Credentials” tab

finishing with admin1 Sign Out

Keycloak 2 (http://localhost:4321 )

  • new realm named realm_b
  • user registration On, SSL Off
  • new identity provider Keycloak OpenID Connect
    • auth endpoint: http://localhost:1234/auth/realms/realm_a/protocol/openid-connect/auth
    • token endpoint: http://localhost:1234/auth/realms/realm_a/protocol/openid-connect/token
    • Client Authentication: Client secret sent as post
    • Client ID: keycloak2
    • Client Secret: <paste>

Save and SignOut admin2

Keycloak 1 from user perspective
Open http://localhost:1234/auth/realms/realm_a/account and SignIn to register a new user.

After success login, signout

Keycloak 2 from user perspective
Open http://localhost:4321/auth/realms/realm_b/account and attempt to Sign In using the Identity Provider.

After click on “keycloak1” button, sign in. The session is open on keycloak 1 but the redirect is to an error page.

We are sorry...
Unexpected error when authenticating with identity provider

Logs

keycloak2_1  | 12:31:38,803 WARN  [org.keycloak.connections.httpclient.DefaultHttpClientFactory] (default task-13) TruststoreProvider is disabled
keycloak2_1  | 12:31:38,889 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-13) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to localhost:1234 [localhost/127.0.0.1] failed: Connection refused (Connection refused)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:156)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
keycloak2_1  | 	at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:277)
keycloak2_1  | 	at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:216)
keycloak2_1  | 	at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:208)
keycloak2_1  | 	at org.keycloak.keycloak-services@15.0.2//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:500)
keycloak2_1  | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
keycloak2_1  | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
keycloak2_1  | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak2_1  | 	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:546)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:435)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:396)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:398)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:365)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
keycloak2_1  | 	at org.jboss.resteasy.resteasy-jaxrs@3.15.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
keycloak2_1  | 	at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
keycloak2_1  | 	at org.keycloak.keycloak-wildfly-extensions@15.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
keycloak2_1  | 	at org.keycloak.keycloak-services@15.0.2//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
keycloak2_1  | 	at org.keycloak.keycloak-wildfly-extensions@15.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  | 	at org.wildfly.extension.undertow@23.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
keycloak2_1  | 	at io.undertow.servlet@2.2.5.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
keycloak2_1  | 	at io.undertow.core@2.2.5.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
keycloak2_1  | 	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
keycloak2_1  | 	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
keycloak2_1  | 	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
keycloak2_1  | 	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
keycloak2_1  | 	at org.jboss.xnio@3.8.4.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
keycloak2_1  | 	at java.base/java.lang.Thread.run(Thread.java:829)
keycloak2_1  | Caused by: java.net.ConnectException: Connection refused (Connection refused)
keycloak2_1  | 	at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
keycloak2_1  | 	at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
keycloak2_1  | 	at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
keycloak2_1  | 	at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
keycloak2_1  | 	at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
keycloak2_1  | 	at java.base/java.net.Socket.connect(Socket.java:609)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:75)
keycloak2_1  | 	at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
keycloak2_1  | 	... 90 more
keycloak2_1  | 
keycloak2_1  | 12:31:38,924 WARN  [org.keycloak.events] (default task-13) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=realm_b, clientId=account-console, userId=null, ipAddress=172.24.0.1, error=identity_provider_login_failure, code_id=ff4c5f88-7047-4462-ac77-4f7912655874, authSessionParentId=ff4c5f88-7047-4462-ac77-4f7912655874, authSessionTabId=QYSgucrsGvc

Browser Network Tab
(have a 502 request in it)

What am I missing? Is it possible to have the identity provider and the broker on the same machine?

Thanks!

I would guess you are seeing an effect of the infinispan detection. See Keycloak 15.0.2 docker image issue - #4 by xgp

1 Like

And what would be the proper workaround? use and older version of keycloak? which one is a good bet? Thanks for the help!

I guess running the instances in from two different docker-compose files should work. Or you need to assign two different internal networks that are isolated.

2 docker-compose.yaml files didnt work :frowning:

the logs on the stackoverflow post have mentions of infinispan, my logs dont, I wonder if this is a different issue

keycloak2_1  | 12:31:38,889 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-13) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to localhost:1234 [localhost/127.0.0.1] failed: Connection refused (Connection refused)

You should get an understanding of how hostnames (and localhost) behave in dockerized environments.
localhost inside docker is not the same as on the host machine.

1 Like

My attempt of isolating the networks:

docker-compose.yml:

networks:
  net1:
    driver: "bridge"
  net2:
    driver: "bridge"
services:
  keycloak1:
    image: "quay.io/keycloak/keycloak:latest"
    networks:
      - net1
    ports:
      - "127.0.0.1:1234:8080"
    environment:
      KEYCLOAK_USER: admin1
      KEYCLOAK_PASSWORD: admin
  keycloak2:
    image: "quay.io/keycloak/keycloak:latest"
    networks:
      - net2
    ports:
      - "127.0.0.1:4321:8080"
    environment:
      KEYCLOAK_USER: admin2
      KEYCLOAK_PASSWORD: admin

and the results of docker nework inspect for each one after docker-compose up:

net1

[
    {
        "Name": "keycloak-broker_net1",
        "Id": "f20c14b1df11cf5bea8efcbcd1ce75380a438dbfa5fabd192ebc3deae9c2103b",
        "Created": "2021-10-06T08:51:33.790035592-03:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "192.168.64.0/20",
                    "Gateway": "192.168.64.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "97bdc8da52a30e6de9c3f6afc234c24123e9cded99e09bb445dff8811e47b1dd": {
                "Name": "keycloak-broker_keycloak1_1",
                "EndpointID": "a4398d6d78bf07ff5f7b2b1971422992b63b449438d8ee23f2ce3a41f2f03227",
                "MacAddress": "02:42:c0:a8:40:02",
                "IPv4Address": "192.168.64.2/20",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "net1",
            "com.docker.compose.project": "keycloak-broker",
            "com.docker.compose.version": "1.29.0"
        }
    }
]

net2

[
    {
        "Name": "keycloak-broker_net2",
        "Id": "68e3ecf956c2f193726e048bb79d17f80bc843919b374b073a97744605039920",
        "Created": "2021-10-06T08:51:33.839702566-03:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "192.168.80.0/20",
                    "Gateway": "192.168.80.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": true,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "3c440bbbafd6a1a6490941da7741ebfbea580c1b882880df48b4904a23feb22d": {
                "Name": "keycloak-broker_keycloak2_1",
                "EndpointID": "2150427f9a99a474dd1adbd540068522a202425171ac4ac878f8ef2a006ff795",
                "MacAddress": "02:42:c0:a8:50:02",
                "IPv4Address": "192.168.80.2/20",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "net2",
            "com.docker.compose.project": "keycloak-broker",
            "com.docker.compose.version": "1.29.0"
        }
    }
]

FWIW I have 2 Keycloaks running from containers (at first directly from docker, now I’m running with kubernetes).

I can"t login to both in the same browser. Is this your problem?
I use “new private window” in the browser, or even 2 different browsers. It works fine.

My curl calls to both Keycloak servers also work fine.

BTW, I’m doing the same kind of thing, but, correct me if I’m wrong, it’s also possible to proof-of-concept brokering simply with one Keycloak and 2 realms. The realms are just as isolated as 2 Keycloak servers, aren’t they?

1 keycloak with 2 realms could work, I will try that, thanks!!

1 Like