I am trying to have users access Keycloak from a different hostname through a proxy. Instead of the actual AWS hostname aws.exampleurl.com:8080 I have a proxy which routes all traffic from example.hostname.com/auth to the AWS url. I am able to access the Keycloak welcome screen and kick off the administrator login (with failed CSS loads which I assume is due to the same issue but I'm not sure), but when I input a set of credentials I am told that there was no cookie found. I have the cookies set to allow all in my browser (Brave).
I have set the HOSTNAME_URL env var to example.hostname.com/auth, tried using a mixture of the HOSTNAME and HOSTNAME_PATH env vars. I have tried setting HOSTNAME_STRICT to false, but to no luck. I've tried restarting the service and restarting the database I have running with Keycloak but these changes have also not worked.
Any ideas on how to get this running correctly would be amazing. Let me know if more info is needed to reproduce.
Related
After changing the domain name, Keycloak is still trying to authenticate using the old domain name. I'm using the Keycloak version 16.1 with KeycloakJS on the frontend using PKCE, on a server that runs everything in docker containers behind an Nginx reverse proxy.
I have changed all the references of the old domain to the new one, but it still redirects to the old domain:
https://auth.old-domain.com/auth/realms/dev-realm/protocol/openid-connect/3p-cookies/step1.html
All the other resources are requested from the new domain, except the step1.html, which is calling the above link.
Any idea of what may be the culprit?
Found the problem. It's not related to Keycloak.
Even though I have changed the auth URL in the frontend application to the new domain, the CI/CD pipeline wasn't updating the docker image for the frontend application, so it used the old image that had the reference to the old domain.
Problem is, I'm starting the Quarkus service and a Keycloak in a docker-compose setup, where I need to configure the internal hostname and it won't be the same I will use to authenticate from outside.
In the following picture I want Swagger-UI to open the external url (http://localhost:8180 in my case) instead of the internal docker-compose url (http://keycloak:8080).
Is there a config property available to change this? I don't not find anything matching and tried out some stuff, but was unsuccessful.
I'm starting the Keycloak server in devmode and mount a custom realm during file.
To the Quarkus service I set the following properties:
environment:
QUARKUS_OIDC_AUTH_SERVER_URL: http://keycloak:8080/realms/WPLAT_dev-keycloak-realm
QUARKUS_OIDC_CLIENT_ID: my-service
QUARKUS_OIDC_CREDENTIALS_SECRET: secret
QUARKUS_OIDC_TOKEN_ISSUER: http://localhost:8180/realms/WPLAT_dev-keycloak-realm
(QUARKUS_OIDC_TOKEN_ISSUER was needed or otherwise the returned tokens weren't accepted)
I am having trouble trying to figure out what the values should be for 'Valid Redirect URIs', 'Base URL', 'Backchannel Logout URL'.
I am using Keycloak 15.02 along with 10 Spring Boot applications, and 2 Realms. The suite of applications and Keycloak are deployed to our customer sites, and may have more than 2 realms in some cases.
In our dev environment we have two hosts (api.dev, and web.dev) that are running Keycloak, and client apps. Everything is running Docker containers.
The client config for `Valid Redirect URIs', and 'Backchannel Logout URL' currently include the host name web.dev. I'd like to be able to remove that host name to make the Realm configs portable between environments. Having to configure each client in each realm makes for a lot of repetitive and mistake-prone work.
But when I remove the hostname, I get the error: Invalid parameter: redirect_uri.
The redirect URL shown by Keyloak in the request parameters looks the same for both configurations so I dont really understand why its telling me that its invalid.
This works:
That configuration produces the redirect_uri value seen in the following request:
http://api.dev.etisoftware.local:8080
/auth/realms/OSS/protocol/openid-connect/auth
?response_type=code
&client_id=launchpad
&scope=openid%20profile%20email%20roles
&state=E-8VBZUc1CbsIUi5HdPG68pNK1IVNB8bzDT3Aengx9Q%3D
&redirect_uri=http://web.dev.etisoftware.local/launchpad/login/oauth2/code/OSS
&nonce=3OUMxVmrglSC0KK-WGWDjG4yB9TOuvqBO5TMnDk4R-A
But this does not:
That configuration produces the redirect_uri value seen in the following request:
http://api.dev.etisoftware.local:8080
/auth/realms/OSS/protocol/openid-connect/auth
?response_type=code
&client_id=launchpad
&scope=openid%20profile%20email%20roles
&state=cGh1zZ3et0ssogIsNclL2sHcrfDxNePaHf5UXxw0aR8%3D
&redirect_uri=http://web.dev.etisoftware.local/launchpad/login/oauth2/code/OSS
&nonce=Qm846RYZZnU3fG4Cj75e8lBejupf24VbV1WjDVW1NJA
As you can see the values for redirect_uri in the request parameters are same for both requests and client configurations so its unclear (to me) what Keycloak is trying to tell me.
I also happen to have Keycloak and the client apps running in a K3s cluster. For some reason on that environment I dont have to have the hostname in the Valid Redirect URIs and it works perfectly fine. Is it just a fluke?
Redirect URIs tooltip:
"Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/’. Relative path can be specified too such as /my/relative/path/. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request"
So if you want to use relative paths in the redirect URIs, then configure properly Root URL, not Base URL.
I got this answered on Keycloak's site but Jangaraj.
https://keycloak.discourse.group/t/trouble-with-configuring-client-valid-redirect-uris/13251
I have setup a local (debian) installation of spinnaker and everything looks fine. I had also setup the authentication as ldap and able to sign in as well.
For authorization, I am using the FILE and have already enabled.
However, When I am trying to select an account in the application which I have created, it does not list any of the accounts.
I checked the logs and I am getting the following error in the logs:
Request GET:http://localhost:7002/applications/samit-app/serverGroups?expand=false is missing [X-SPINNAKER-ACCOUNTS] authentication headers and will be treated as anonymous.
Also, the deck and gate URLs are overridden and are behind a nginx proxy.
Can someone help me here and let me know what part I am missing in this setup?
You must choose an Account provider to deploy to and set it as a new Account in Halyard.
Set up an Account provider
I have created keycloak docker image and deployed in kubernates in my on premise server and setup localhost: as redirect URLs and when I am accessing it from other systems, it should be the IP address of that system, instead of localhost. Could you please help me to get dynamic IP setup in my keycloak from Kubernetes script?
I think you can just set the redirectUris in your realm config to *. Otherwise each system to be accessible needs to be added to the realm, which you can do from the admin console or through the API.
In Activiti we distribute a keycloak helm chart with a custom realm for activiti installations. In that we set redirectUris to * and allow that to be overridden at install time. We're doing that in a helm chart but if you weren't using a helm template then you could do a sed to replace a string. But that is for a shareable distribution. If you've just got a single installation then I'd expect you to be adding applications/clients to the realm through the console or API.