Keycloak Admin console not accessible

Question

I'm trying to setup Keycloak on a root server but I cannot access the admin console from the internet. I've installed the keycloak server and put it behind an nginx reverse proxy on the same machine. I've setup a letsencrypt cert for the domain. I've also setup the admin user for keycloak via script.

When I visit the server with it's domain https://<my-domain> I'm forwarded to https://<my-domain>/auth and there is the keycloak welcome page with a link to "Administration Console". This link points to https://<my-domain>/admin but shows a 404.

At first I thought this might be a problem with nginx so I followed the guide in the docs to setup a load-balancer (https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy). There, under "Verify Configuration" it tells you to open the path https://<my-domain>/auth/realms/master/.well-known/openid-configuration which works as expected and I get a json file with several links and other information in it. However, none of those links do work - all give me a 404.

When I try https://<my-domain>/auth/realms/master I get a JSON response. So some links do work so I think it's not a problem with nginx but with keycloak itself.

So the basic question is: How do I configure Keycloak so that I can access the admin console via internet? I've read that by default you can only access it on localhost but there must be a way to overwrite this default?

The relevant nginx config:

upstream keycloak {
    server 127.0.0.1:8080;
}

server {
    listen 443 ssl http2;
    # some ssl configuration for letsencrypt

    location / {
        proxy_pass          http://keycloak;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Host    $host;
        proxy_set_header    X-Forwarded-Server  $host;
        proxy_set_header    X-Forwarded-Port    $server_port;
        proxy_set_header    X-Forwarded-Proto   $scheme;
    }
}

Some parts in keycloak/standalone/configuration/standalone.xml that I've edited:

<subsystem xmlns="urn:jboss:domain:undertow:10.0" ...>
    ...
    <server name="default-server">
        <http-listener name="default" 
            socket-binding="http" 
            redirect-socket="proxy-https"
            enable-http2="true"
            proxy-address-forwarding="true" />
        ...
    </server>
    ...
</subsystem>
...
<interfaces>
    <interface name="management">
        <any-address />
    </interface>
    <interface name="public">
        <any-address />
    </interface>
</interfaces>
<socket-binding-group name="standard-sockets" ...>
    ...
    <socket-binding name="proxy-https" port="443" />
    ...
</socket-binding-group>

EDIT

I was able to fix it. The problem was that keycloak was redirecting the initial page from https://<my-domain>/ to https://<my-domain>/auth but then in all other links this additional /auth was missing. So the admin link was pointing to https://<my-domain>/admin/master/console without the /auth part and this page wasn't existing. When I was manually typing the URL with /auth in it I got a page with a "loading.." message but all style and JavaScript files linked where also missing the /auth part in their URLs so nothing was working.

To fix this I had now changed in standalone.xml the line <web-context>auth</web-context> to <web-context>/</web-context> and now everything behaves as expected. There is no redirecting anymore at the start page and all links do work without the /auth part in it. However, it would be interesting why it wasn't working in the first place and how one solve this if the /auth redirection was intended.

I like that the idea you added @Manuel Makes sense to me to exclude the `/auth` part. But it seemed to help for my case, only to add that part to frontendUrl — mraxus, Aug 27 '20 at 09:04
@MoonLight I believe the `standalone.xml` file is part of the old WildFly version of Keycloak and is absent in the Quarkus versions. — silvertiger, Mar 22 '23 at 18:59

score 21 · Answer 1 · answered Dec 20 '19 at 18:24

You helped me solve my issue. I was setting the java system property keycloak.frontendUrl (or env KEYCLOAK_FRONTEND_URL), and apparently it wants a full url, not just the hostname. Appending /auth fixed my redirect problems.

It looks like keycloak.hostname.fixed.hostname (KEYCLOAK_HOSTNAME) may also cause problems if /auth isn't appended.

See docs for details on the hostname provider here: https://www.keycloak.org/docs/latest/server_installation/index.html#hostname

score 12 · Answer 2 · answered Jun 30 '20 at 22:24

12

I had the same issue with keycloak instances behind nginx reverse proxy in my kubernetes cluster. I fixed it by setting the env PROXY_ADDRESS_FORWARDING to true. PROXY_ADDRESS_FORWARDING=true

answered Jun 30 '20 at 22:24

daniel rubambura

545
6
12

3

I needed to add this when deploying the docker version to an azure app service – chris Oct 16 '20 at 10:58
Thank you very much! I tried different settings but only this worked on AWS with an application load balancer (with SSL) + nginx reverse proxy + keycloak 19.0.1 – costigator Aug 25 '22 at 14:09

score 0 · Answer 3 · answered Jan 10 '23 at 16:51

0

add this ENV KC_TRANSACTION_XA_ENABLED=false

answered Jan 10 '23 at 16:51

Jojo Gee

17
4

score -3 · Answer 4 · answered Dec 17 '19 at 07:54

-3

Try open /auth/admin/master/console/ in a Browser.

Additional Info:

https://www.keycloak.org/docs/latest/getting_started/index.html

https://www.keycloak.org/docs-api/8.0/rest-api/index.html

Oh, and I recommend to use a dockerized Keycloak. The upgrade path to a newer Version if much easier.

answered Dec 17 '19 at 07:54

Julian Egner

221
3
8

5

When I open `/auth/admin/master/console/` I see "{{notification.header}} {{notification.message}} Loading...". In the browser devtools I can see that a big number of scripts and css files can't be loaded because of a 404. – Manuel Mauky Dec 17 '19 at 08:31
I think the problem is that `/auth` is missing in the generated links. For example the `styles.css` file is references with a link `https:///resources/ik361/admin/keycloak/css/styles.css` which is not available. But if I add `/auth` directly behind the domain like this `https:///auth/resources/ik361/admin/keycloak/css/styles.css` then it works. So the question is: Why is keycloak (or nginx?) removing this part from URLs – Manuel Mauky Dec 17 '19 at 08:52
I think that it could be a nginx issue. Can you try to access keycloak from the machine itself? Then you know that its something with nginx. – Julian Egner Dec 17 '19 at 13:52

Keycloak Admin console not accessible

4 Answers4