Web UI errors in dockerized keycloak

Hello,
I installed the container as described here on the docker hub page for jboss/keycloak (new user, only two links, sorry)
I have this directory architecture:
.
├── container
│ ├── 01-consul-agent.sh
│ └── Dockerfile
└── docker-compose.yml

The relevant files regarding conf / deployment:
./docker-compose.yml: https://hastebin.com/uvehaliwab.xml
./container/Dockerfile:

FROM jboss/keycloak

ADD 01-consul-agent.sh /opt/jboss/startup-scripts/
USER root
RUN microdnf install net-tools bind-utils iputils curl unzip
RUN chmod +x /opt/jboss/startup-scripts/01-consul-agent.sh
USER jboss

Keycloak is served behind a nginx proxy. I can attach the configuration if needed.

I am experimenting with keycloak to see if it fits our needs. I have configured multiple OIDC clients and everything was working so far.
When I got around to trying adding group policies, I stumbled upon an error.
I can access the policy creation form (lets say: https:/ /keycloak.int.<FQDN>/auth/admin/master/console/#/realms/public/clients/<XXXXXXXXXXX>/authz/resource-server/policy/group/create), but when I type a name in the mandatory “Name” field and try to go out of it, I get redirected to https:/ /keycloak.int.<FQDN>/auth/admin/master/console/#/notfound.

On this page, in the console I get:
Possibly unhandled rejection: {"data":{"error":"HTTP 404 Not Found"},"status":404,"config":{"method":"GET","transformRequest":[null,null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"https:/ /keycloak.int.<FQDN>/auth/admin/realms/public/clients/<XXXXXXXXXXX>/authz/resource-server/policy/search","params":{"name":"ert"},"headers":{"Accept":"application/json, text/plain, */*","Authorization":"Bearer <BEARER_TOKEN>"}},"statusText":"Not Found","xhrStatus":"complete","resource":{}}

And when I go to https:/ /keycloak.int.<FQDN>/auth/admin/realms/public/clients/<XXXXXXXXXXX>/authz/resource-server/policy/search manually to investigate, I get a 401 with the following message:
We are sorry... An internal server error has occurred
The debug info at that time from docker-compose logs is: https://hastebin.com/xuvenopiqa.cs
The only relevant information I might see would be No collections were found in result set for role: org.keycloak.authorization.jpa.entities.PolicyEntity.associatedPolicies

But to be honest I have little to no clues and am a bit lost as to what to investigate next in order to fix the problem.

Thank you in advance for any help provided and sorry for the long post.

Edit: formatting problem

I am facing this issue as well!

I’m curious if you seem to face this same issue when you create a brand new container?

I started up a quick container using

docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak

hit http://localhost:8080

Create a new client, OIDC, confidential, enable authorization, policy, new group policy, type a name…no error!

What on earth is this?

hey there! Figured it out.

I was using Keycloak 10.0.0. Check the container version. Are you not using 10.0.2? I upgraded my image it suddenly worked!

--oliverakane@gmail.com

Hello, to be honest I don’t really remember. I waited a few days, an upgrade came out, and it suddenly worked as well :S

glad it is fixed anyway.

I have the same issue using Keycloak 12.0.2 image:

Possibly unhandled rejection: {"data":{"error":"Realm not found."},"status":404,"config":{"method":"GET","transformRequest":[null,null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"http://localhost:8000/keycloak/auth/admin/realms/<long-id>/localization/en","headers":{"Accept":"application/json, text/plain, */*","Authorization":"Bearer XXX"}},"statusText":"Not Found","xhrStatus":"complete","resource":{}}

(In my case Keycloak is behind Kong using keycloak/auth as web context).

Moreover I find strange that I cannot see any 404 in the Network tab when trying to diagnose the problem, only the error message in the console… no idea how this is possible.

Does anyone have a suggestion on how to fix this? It is quite annoying that you have to login, then click “go to home” before reaching the admin console.

I have the same issue. It seems like the problem occurs when a realm is renamed. GET https://keycloak.desy.de/auth/admin/realms/OldRealmName/localization/en 404 shows up in my dev console. The renaming happened a while ago and only with Keycloak 12 the problem started showing up…

In my case I’m pretty sure I never rename my realm. Although I do update some properties, but the name itself is always the same. It certainly seems that Keycloak 12.0.2 has some regression on this, although I still have no idea exactly what is triggering this.

We are experiencing the same issue here. It looks like Keycloak 12 uses the realm name as the primary key for new realms, but still sends the old UUID when requesting the localizations.

This is when i retry the request performed by the admin through cURL. Same response as the admin gets:

curl 'http://localhost:9090/auth/admin/realms/f4cf1ead-399a-489d-a1f9-3eb6edd0273f/localization/en' \
    -H 'Connection: keep-alive' \
    -H 'Pragma: no-cache' \
    -H 'Cache-Control: no-cache' \
    -H 'Accept: application/json, text/plain, */*' \
    -H 'Authorization: Bearer <token>' \
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36' \
    -H 'Sec-Fetch-Site: same-origin' \
    -H 'Sec-Fetch-Mode: cors' \
    -H 'Sec-Fetch-Dest: empty' \
    -H 'Accept-Language: en-US,en;q=0.9,nl;q=0.8' \
    --compressed -vvvvv
*   Trying 127.0.0.1:9090...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9090 (#0)
> GET /auth/admin/realms/f4cf1ead-399a-489d-a1f9-3eb6edd0273f/localization/en HTTP/1.1
> Host: localhost:9090
> Accept-Encoding: deflate, gzip
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> Accept: application/json, text/plain, */*
> Authorization: Bearer <token>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: empty
> Accept-Language: en-US,en;q=0.9,nl;q=0.8
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Mon, 08 Feb 2021 11:37:44 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 28
< 
* Connection #0 to host localhost left intact

{"error":"Realm not found."}% 

But when I swap the UUID with the realm name, the request succeeds:

curl 'http://localhost:9090/auth/admin/realms/test11/localization/en' \
    -H 'Connection: keep-alive' \
    -H 'Pragma: no-cache' \
    -H 'Cache-Control: no-cache' \
    -H 'Accept: application/json, text/plain, */*' \
    -H 'Authorization: Bearer <token>' \
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36' \
    -H 'Sec-Fetch-Site: same-origin' \
    -H 'Sec-Fetch-Mode: cors' \
    -H 'Sec-Fetch-Dest: empty' \
    -H 'Accept-Language: en-US,en;q=0.9,nl;q=0.8' \
    --compressed -vvvvv
*   Trying 127.0.0.1:9090...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9090 (#0)
> GET /auth/admin/realms/test11/localization/en HTTP/1.1
> Host: localhost:9090
> Accept-Encoding: deflate, gzip
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> Accept: application/json, text/plain, */*
> Authorization: Bearer <token>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: empty
> Accept-Language: en-US,en;q=0.9,nl;q=0.8
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: no-referrer
< Date: Mon, 08 Feb 2021 11:37:53 GMT
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Content-Type: application/json
< Content-Length: 2
< 
* Connection #0 to host localhost left intact

{}%

I do have the same issue with 12.0.2. Not found any fix yet.

I had the same issue with 12.0.2 with a renamed realm.
I fixed it by patching the file /opt/jboss/keycloak/themes/base/admin/resources/js/controllers/realm.js

@@ -101,8 +101,8 @@
     $scope.$watch(function() {
         return Current.realm;
     }, function() {
-        if(Current.realm !== null && currentRealm !== Current.realm.id) {
-            currentRealm = Current.realm.id;
+        if(Current.realm !== null && currentRealm !== Current.realm.realm) {
+            currentRealm = Current.realm.realm;
             translateProvider.translations(locale, resourceBundle);
             RealmSpecificLocalizationTexts.get({id: currentRealm, locale: locale}, function (localizationTexts) {
                 translateProvider.translations(locale, localizationTexts.toJSON());

Issue seems to be still there with 12.0.3. And in my case it’s without renaming the realm and the issue occurs with all realm.

The fix has been committed https://github.com/keycloak/keycloak/commit/c0beca7744a5eea3858ba9881a222fcfd8a64802but is not included in the 12.0.3.

it’s been fixed in the 12.0.4 release btw

I am not sure if this issue has been fixed yet as I am still observing this today with the docker image jboss/keycloak:15.0.2.

As another user mentioned above, it works just fine if we “docker run” this image straight. But it keeps throwing weird 404 not found errors when we deploy it on an Azure Web App using custom docker image.

Here is my Dockerfile if that would add any value

FROM jboss/keycloak:latest
ARG ADMIN_USERNAME=myadminuserid
ARG ADMIN_PASSWORD=myadminpassword
ARG REALM_NAME=abstracta
ENV PROXY_ADDRESS_FORWARDING=true
RUN /opt/jboss/keycloak/bin/add-user-keycloak.sh -u $ADMIN_USERNAME -p $ADMIN_PASSWORD

Some of the errors I see in the browser:
Refused to apply style from 'https://mydomain.azurewebsites.net/auth/resources/95t8j/common/keycloak/node_modules/patternfly/dist/css/patternfly.css' because its MIME type ('') is not a supported stylesheet MIME type, and strict MIME checking is enabled.

GET https://abstracta-auth.azurewebsites.net/auth/resources/95t8j/welcome/keycloak/logo.png 404 (Not Found)

For what its worth, it did work once the very first time after deploying on Azure. But starting showing this behavior after subsequent restarts.

Any advice anyone?