skip to Main Content

Keycloak per se is working fine. I created a subdomain https://auth.mydomain.com which is pointing to a VM running on GCP. I have configured nginx to internally forward the request to Keycloak. So far so good. When I click "Administration console" in the Keycloak UI, it redirects to https://auth.mydomain.com/admin/master/console and hangs with "Loading Admin UI". According to the network logs the error occurs when Keycloak tries to load step1.html via https://auth.mydomain.com:8081/realms/master/protocol/openid-connect/3p-cookies/step1.html.

Now I think that this URL (the initial part https://auth.mydomain.com) is incorrect but don’t know how to configure it otherwise. I guess it should be http and pointing to the internal IP/localhost or get rid of the 8081 port.

Here’s my nginx.conf:

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2  on;
        server_name auth.mydomain.com;

        # SSL certificate configuration
        ssl_certificate .../public.crt;
        ssl_certificate_key .../private.key;

        location / {
            proxy_pass http://127.0.0.1:8081;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

And this is how Keycloak is configured.

  environment:
      ...
      - KC_HTTP_ENABLED=true
      - KC_PROXY=edge
      - KC_PROXY_HEADERS=forwarded|xforwarded
      - KC_HOSTNAME_STRICT=false
      - KC_HOSTNAME_STRICT_HTTPS=false
      ...

Both nginx (image nginx:1.25.3-alpine) and Keycloak (quay.io/keycloak/keycloak:21.1.2) are running as Docker containers.
Any help appreciated, this is getting exasperating.

2

Answers


  1. Chosen as BEST ANSWER

    Finally I figured out that this issue was caused by the KC_HOSTNAME_PORT which I had configured a few lines below the options posted above. This made Keycloak append the custom port (8081) to the domain name (https://auth.mydomain.com). I simply removed the option and everything seems to work as expected.


  2. Did you check setting the admin URL variables?

    These are my docker compose variables (using localhost instead of the IP):

      KEYCLOAK_ADMIN_URL: http://localhost:${NGINX_HOST_PORT}${KEYCLOAK_ADMIN_URL}
      KC_HOSTNAME_URL: http://localhost:${NGINX_HOST_PORT}${KEYCLOAK_HOSTNAME_URL}
      KC_HOSTNAME_ADMIN_URL: http://localhost:8081/
    

    And my NGINX config using the docker service name:

      location /keycloak/ {
          proxy_pass http://api-keycloak:8080/;
      }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search