Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

keycloak.js fails to load from the UI when behind a reverse proxy and KC_PROXY = `edge`

See original GitHub issue

Describe the bug

In the frontend authUrl and authServerUrl should respect the setting of KC_PROXY to edge mode and should probably use the X-Forwarded-Proto instead of the request protocol to construct the url for frontend requests.

This initial result of this is in the templates the url for the keycloak.js resource is incorrect, although the issues are probably bigger as the url is also used for other js invoked api calls looking at the code.

Version

17.0.0

Expected behavior

<script type="text/javascript">
--
  | var authServerUrl = 'https://...';
  | var authUrl = 'https://....';
...

Actual behavior

<script type="text/javascript">
--
  | var authServerUrl = 'http://...';
  | var authUrl = 'http://....';
...

Only setting KC_PROXY to reencrypt and communicating over https behind the proxy server resolves the issue and correctly sets the frontend Urls.

How to Reproduce?

Run a proxy server with SSL termination and set the KC_PROXY option to ‘edge’.

Load the /admin/master/console/ html file and you will see the authUrl and authServerUrl set to http://{hostname} and not https://{hostname}. The browser will then try to connect on this port and fail.

For reference this was the NGINX configuration used:

    server {
        listen 443 ssl http2;
        server_name login.test.test;
        server_tokens off;

        ssl_certificate /etc/nginx/certs/tls.crt;
        ssl_certificate_key /etc/nginx/certs/tls.key;
        ssl_dhparam /etc/nginx/ssl-dhparams.pem;

        location / {
            set $upstream http://keycloak:8080;
            proxy_pass  $upstream;
            proxy_set_header    Host                $http_host;
            proxy_set_header    X-Real-IP           $remote_addr;
            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Proto   $http_x_forwarded_proto;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }

Anything else?

Setting KC_HOSTNAME_SCRICT_HTTPS: true also didn’t help. (not sure if this option is correct or used)

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:2
  • Comments:16 (6 by maintainers)

github_iconTop GitHub Comments

3reactions
eucleciojosiascommented, Apr 14, 2022

The fix is here, but it was not released yet 😦

1reaction
T0mWzcommented, Mar 24, 2022

This configuration of @Thirsa works! 🎉

@gitdode

With 17.0.0 it just works.

I confirm!

with this configuration in the deployment file it works: image: quay.io/keycloak/keycloak:17.0.0 args: [“start-dev”] env: - name: KEYCLOAK_ADMIN value: “admin” - name: KEYCLOAK_ADMIN_PASSWORD value: “somepass” - name: KC_PROXY value: “edge” - name: KC_HOSTNAME value: “keycloak.domain.tld” - name: KC_HOSTNAME_STRICT_HTTPS value: “true”

You just have to know to set those additional ENVs I guess. Though I can’t find the KC_HOSTNAME_STRICT_HTTPS here https://www.keycloak.org/server/all-config

Thank you! 💪

However, with 17.0.1, I run against the same issue. the keycloak.js is served (hard) via HTTP, where this results in some issues where we have HSTS applied.

Thanks for all your help!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using a reverse proxy - Keycloak
Learn how to configure Keycloak together with a reverse proxy, api gateway, or load balancer. Distributed environments frequently require the use of a...
Read more >
Using Keycloak behind a reverse proxy: Could not open ...
This sounds somehow like a duplicate of Keycloak Docker behind loadbalancer with https fails. Set the request headers X-Forwarded-For and ...
Read more >
Accessing admin UI behind reverse proxy - Keycloak Discourse
The KC_PROXY var is set to edge . Or am I looking at the wrong solution to access the admin console when it's...
Read more >
Conteinerized Keycloak behind Nginx reverse proxy requests ...
I would like to containerize whole application I have and their dependencies and keycloak is a first step that I cannot complete. nginx...
Read more >
cannot enter admin console after new installation of keycloak ...
For my setup i have an external nginx reverse proxy, behind it i have another nginx ingress controller, and behind it i have...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Keycloak 17 quarkas distribution build failing after adding custom provider

Next page

Read secrets from files