Globally disable https keycloak

Question

The deployment is on AWS and I do not want to tunnel to the box and open a browser to disable it.

There seems to exist a configuration: "ssl-required":"none" that can be placed in the keycloak-server.json file, but I'm not sure under which object. I've tried under "realm" and by itself with no luck.

I do not want to disable it at the adapter level, it needs to be globally, so where does the "ssl-required":"none" go, or how can ssh/https be disabled globally?

(Also, I understand this is not recommended in production.)

score 44 · Accepted Answer · edited Feb 10 '18 at 01:35

44

In the "master" realm, over login tab. Change 'Require SSL' property to none.

If you can not access locally to keycloak and it is configured with a database for instance Postgres, then execute the following SQL sentence.

update REALM set ssl_required = 'NONE' where id = 'master';

It is necessary to restart keycloak

edited Feb 10 '18 at 01:35

Graham

7,431
18
59
84

answered Aug 24 '16 at 17:40

anromer

566
5
4

7

If you have only SSH access and Keycloak is running with embedded DB, you may use native DB client, e.g. for H2: java -cp .jar org.h2.tools.Shell -url "jdbc:h2:file:" -user -password -sql "update REALM set ssl_required='NONE' where id = 'master'" – Vladimir Salin Apr 26 '17 at 07:46
12

E.g. `java -cp modules/system/layers/base/com/h2database/h2/main/h2-1.4.193.jar org.h2.tools.Shell -url "jdbc:h2:./standalone/data/keycloak" -user sa -password sa -sql "update REALM set ssl_required='NONE' where id = 'master'"` – dds Jan 31 '18 at 21:53

Deusimar Ferreira · Answer 2 · 2021-04-27T23:03:35.497

14

I was run de Keycloak admin command to apply sslRequired=NONE.

$ docker exec -it CONTAINER-ID bash
$ cd /opt/jboss/keycloak/bin/
-- Run authenticate
$ ./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
-- Apply sslRequired to none
$ ./kcadm.sh update realms/master -s sslRequired=NONE

If you don't know user and/ou password I recomend run:

$ ./add-user-keycloak.sh --server http://localhost:8080/admin --realm master --user admin --password YOUR-PASSWORD

edited Apr 27 '21 at 23:03

answered Nov 06 '20 at 14:09

Deusimar Ferreira

325
4
4

Inside docker container. I am getting this error: bash: cd: keycloak/bin: No such file or directory – ASK Feb 15 '21 at 07:12
1

the correct path for keycloak bin as the time writing this comment the latest version of ``kecloak is 12.0.4`` ``/opt/jboss/keycloak/bin`` – Ahmed GIS Apr 26 '21 at 22:54
The authentication command failed when using `--server http://localhost:8080/auth`. It works when using `--server http://localhost:8080` instead. Ref: https://www.keycloak.org/docs/17.0/server_admin/index.html#authenticating – wltheng Feb 21 '22 at 14:02

score 1 · Answer 3 · answered May 26 '21 at 17:44

Im my case, I'm using Keycloak Server with Spring Boot. I can change sslRequired from Master Realm by code, extending the KeycloakApplication:

public class EmbeddedKeycloakApplication extends KeycloakApplication {
...

public EmbeddedKeycloakApplication() {
        super();        
        changeMasterRealm();
        ...
    }

private void changeMasterRealm() {
        KeycloakSession session = getSessionFactory().create();
        try {
            session.getTransactionManager().begin();
            RealmManager manager = new RealmManager(session);
            manager.getRealm("master").setSslRequired(SslRequired.NONE);
            session.getTransactionManager().commit();
        } catch (Exception ex) {            
            session.getTransactionManager().rollback();
        }
       
...

Or you can use this to get the Realm: `manager.getKeycloakAdminstrationRealm().setSslRequired(SslRequired.NONE);` — Murilo Rodrigues, May 26 '21 at 19:02

score 0 · Answer 4 · answered Mar 23 '23 at 21:08

I tried as below.

    docker run \
  --name new-keycloak \
  -dti \
  -p 8080:8080 \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=admin \
  -e KC_HOSTNAME=localhost \
  -e KC_HOSTNAME_STRICT=false \
  -e KC_HOSTNAME_STRICT_HTTPS=false \
  -e KC_HTTP_ENABLED=true \
  quay.io/keycloak/keycloak:20.0.2 \
  start-dev

but it still requires HTTPS. After searching more I saw a answer to do like below.

I started the container without any of the 4 "KC_" environment variables. And then I went into the container and used kcadm.sh like this:

cd /opt/keycloak/bin
./kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin
./kcadm.sh update realms/master -s sslRequired=NONE

Then it worked like a charm.

score -1 · Answer 5 · answered Apr 18 '23 at 07:31

-1

The same image runs just fine on GKE, but when I try to run it on bare metal cluster (microk8s) it mandates tls... Could it be that ingress controller is different?

answered Apr 18 '23 at 07:31

uthomas

677
2
9
17

Globally disable https keycloak

5 Answers5

Linked