Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Access Admin Console when using reverse proxy/load balancer

See original GitHub issue

Describe the bug

I tried so many approaches, but a just can’t access the admin console.

I access https://my.domain.com then I click in Administration Console that goes to https://my.domain.com/admin/master/console/ with a loading Loading the admin console, then show up a js alert with a message failed to initialize keycloak.

When I click in View Page Source of this screen I find the following script (note the http on the authUrl):

<script id="environment" type="application/json">
  {
    "loginRealm": "master",
    "authServerUrl": "https://my.domain.com",
    "authUrl": "http://my.domain.com",
    "consoleBaseUrl": "/admin/master/console/",
    "resourceUrl": "/resources/rq7wk/admin/keycloak.v2",
    "masterRealm": "master",
    "resourceVersion": "rq7wk",
    "commitHash": "{}",
    "isRunningAsTheme": true
  }
</script>

If I click “Ok” in the js alert, then it’s redirected to a error page with the URL: https://my.domain.com/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https://my.domain.dev/admin/master/console/#/&state={}&response_mode=fragment&response_type=code&scope=openid&nonce={}&code_challenge={}&code_challenge_method=S256

The error shown is invalid_url as the image below Screen Shot 2022-04-20 at 16 18 18

Something I tried in this page was replace the https for http in the query param &redirect_uri=http://my.domain.dev/admin/master/console/#/&state= ..., then the login form shows up, but when I fill with valid credentials and submit the same errors happens.

Something I notice was looking at the dev tools Network, the following requests happens: Screen Shot 2022-04-26 at 10 37 50

The requests serverinfo/, realms?briefRepresentation=true and whoami are pointing to http://127.0.0.1:8080/auth/admin/.

Version

18.0.0

Expected behavior

To log into the Admin Console to registrer realms, users and config

Actual behavior

When I try to log into the Admin Console this errors are shown

How to Reproduce?

My Dockerfile:

FROM quay.io/keycloak/keycloak:18.0.0 as builder

ENV KC_FEATURES=authorization,account2,account-api,admin-fine-grained-authz,admin2,docker,impersonation,token-exchange,client-policies,declarative-user-profile,dynamic-scopes,preview
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_DB=postgres

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:18.0.0

COPY --from=builder /opt/keycloak/ /opt/keycloak/

WORKDIR /opt/keycloak

ARG KEYCLOAK_ADMIN
ARG KEYCLOAK_ADMIN_PASSWORD
ARG KC_DB_URL
ARG KC_DB_USERNAME
ARG KC_DB_PASSWORD
ARG KC_LOG_LEVEL

ENV KEYCLOAK_ADMIN=$KEYCLOAK_ADMIN
ENV KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
ENV KC_DB_URL=$KC_DB_URL
ENV KC_DB_USERNAME=$KC_DB_USERNAME
ENV KC_DB_PASSWORD=$KC_DB_PASSWORD
ENV KC_LOG_LEVEL=$KC_LOG_LEVEL

ENV KC_PROXY=edge
ENV KC_HOSTNAME=my.domain.com
ENV KC_SPI_HOSTNAME_DEFAULT_ADMIN=my.domain.com

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

Anything else?

No response

Issue Analytics

State:
Created a year ago
Reactions:5
Comments:8 (1 by maintainers)

Top GitHub Comments

6reactions

michaelpearce-gaincommented, Jun 25, 2022

Issue is still persisting for me on latest release 18.0.2, it seems that redirect_uri is expecting http in the rules, but not https, it would seem something maybe up with the default realm used for admin rule set that generates

2reactions

Havrincommented, Apr 28, 2022

Same issue here. Locally in dev mode no problem but in a cluster I see the redirect_uri error when accessing the login form. No JS Error tho.

URL: https://my.domain.com/path/to/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fmy.domain.com%2Fpath%2Fto%2Fadmin%2Fmaster%2Fconsole%2F&state=UUID&response_mode=fragment&response_type=code&scope=openid&nonce=UUID&code_challenge=CHALLENGE&code_challenge_method=S256

Error same as the second image in the bug description with “invalid parameter: redirect_uri”.

We upgraded from 17.0.0 to 18 as 17.0.1 was broken with http static urls in the template. The fix for 17.0.0 worked with those parameters:

  KC_PROXY: edge
  KC_HOSTNAME_STRICT: "false"
  KC_HOSTNAME_STRICT_HTTPS: "true"
  KC_HTTP_ENABLED: "false"

But again, now it shows invalid_uri as error.

Edit: Removing KC_HOSTNAME_STRICT_HTTPS: "true" did not help

Top Results From Across the Web

Using a reverse proxy - Keycloak

Learn how to configure Keycloak together with a reverse proxy, api gateway, or load balancer. Distributed environments frequently require the use of a...

Accessing admin UI behind reverse proxy - Keycloak Discourse

Hello, I am deploying Keycloak 17.0.1 Quarkus with Kubernetes. I see in the docs about setting up the reverse proxy that it's preferable...

Using Keycloak behind a reverse proxy: Could not open ...

I call keycloak via my gateway-route via https://{gateway}/auth and it shows me the entrypoint with keycloak logo, link to admin console etc. - ......

How to enable SSL Load Balancer or Reverse Proxy in front of ...

For Setting Up with a Load Balancer or Reverse Proxy, ... Go to the admin console, then attempt to login with an invalid...

Configuring Reverse Proxy Using Administration Console ...

Using the Administration Console, select Configurations > Virtual Servers ... This completes configuring the reverse proxy for load balancing HTTP requests.