Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

non TLS connection: Blank admin console page due to missing 3p-cookies/step1.html resource

See original GitHub issue

Describe the bug

In my setup, the TLS is done in TLS Apache endpoint as reverse proxy, thus I did not setup any TLS stuff in keycloak.

Usage of admin console is done in internal network directly.

I get a blank admin console page after login Root cause: The resource 3p-cookies/step1.html will be loaded as TLS connection with https but that fails on port 8080 GET https://10.1.93.60:8080/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=9qn3t

It does not happen, if I set the “hidden” property hostname-strict-https=false The resource 3p-cookies/step1.html will be loaded successfully as normal http connection GET http://10.1.93.60:8080/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=9qn3t and the admin console page is displayed

My configuration:

# I do NOT set `hostname` nor `hostname-admin`

# remaining possible related settings in use are
proxy=edge
hostname-strict=false

http-enabled=true
http-relative-path=/auth

# How disable strict https
# https://github.com/keycloak/keycloak/discussions/10740
# Undocumented config parameter
hostname-strict-https=false

Version

17.0.1

Expected behavior

If http-enabled=true is used and keycloak is called with its direct IP, the admin console page is shown after login without usage of hidden property hostname-strict-https=false

Actual behavior

Faulty call of resource 3p-cookies/step1.html blocks the page usage, it loops in trying to get the whole page

How to Reproduce?

No response

Anything else?

No response

Issue Analytics

State:
Created a year ago
Reactions:6
Comments:15 (11 by maintainers)

Top GitHub Comments

2reactions

pedroigorcommented, Jun 30, 2022

@psytester I thought it was clear that the problem here is related to how the server enforces TLS by default. As we started discussing from this point https://github.com/keycloak/keycloak/issues/11170#issuecomment-1110098798.

The iframe (3p-cookies/step1.html) is not an “admin URL” but a frontend URL and that is reason why you have https using a non-TLS port in the URLs.

Sorry for closing without a reference to a guide. We updated the hostname guide to include this section https://www.keycloak.org/server/hostname#_accessing_keycloak_in_production_mode_using_http.

Please, let me know if it works for you.

1reaction

piotrooocommented, May 7, 2022

I’m still facing with this error…

I have a simple configuration:

export default new Keycloak({
    url: 'http://0.0.0.0:8080/auth',
    realm: 'testrealm',
    clientId: 'web-app',
})

then init call:

keycloak.init({
    onLoad: 'check-sso',
    silentCheckSsoRedirectUri: `${window.location.origin}/check-sso`,
    checkLoginIframe: false,
}).then(value => {
    console.log(value)
    renderApp()
}).catch(console.error)

Nothing complicated. In web console:

Zrzut ekranu z 2022-05-07 18-55-32

I run keycloak from docker:

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_HOSTNAME_STRICT_HTTPS=false quay.io/keycloak/keycloak:18.0.0 start --hostname-strict-https false --hostname-strict false --http-enabled true

JS lib is also 18.0.0 I have no idea what is wrong.