I have a keycloak installed in a host without SSL so my Keycloak server is accessed by HTTP.
This is my keycloak configuration in a docker-compose:
` keycloak:
image: jboss/keycloak:10.0.2
restart: always
depends_on:
- keycloak-db
networks:
- keycloak-net
ports:
- "8180:8080"
environment:
DB_VENDOR: POSTGRES
DB_ADDR: keycloak-db
DB_PORT: 5432
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
PROXY_ADDRESS_FORWARDING: "true"
JDBC_PARAMS: "useSSL=true"
REDIRECT-SOCKET: "proxy-https"
`
Then when my application does loging with keycloak and try to redirect to https://host/service-name, keycloak replace https by http and my login fails. This is a dev enviroment and that is the reason which I use http instead of https for keycloak.
My configuration in keycloak is:
Clien-protocol: openid-connect
access-type: confidential
standar flow: enabled
directa access grants: enabled
service accounts: enabled
authorization: enabled.
valid redirects uri:
https://host/service-name
Host is my EKS host y service-name is the name of my application. For example, https://eks.host/location
Any idea about how can I redirect to my application?
Thanks in advance.
Related
I have configured nginx and given hostname to keycloak as http://keycloak.formsflow.ai for localhost:8080, but as I see in redirection url it show port number 8080, how can I remove it?
Keycloak showing port number in redirection along with hostname
Below is my docker config for keycloak
keycloak:
image: quay.io/keycloak/keycloak:14.0.0
container_name: keycloak
volumes:
- ./configuration/imports:/opt/jboss/keycloak/imports
command:
- "-b 0.0.0.0 -bmanagement=0.0.0.0 -Dkeycloak.import=/opt/jboss/keycloak/imports/formsflow-ai-realm.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING"
environment:
- DB_VENDOR=POSTGRES
- DB_ADDR=keycloak-db
- KEYCLOAK_HOSTNAME=keycloak.formsflow.ai
- DB_DATABASE=${KEYCLOAK_JDBC_DB:-keycloak}
- DB_USER=${KEYCLOAK_JDBC_USER:-admin}
- DB_PASSWORD=${KEYCLOAK_JDBC_PASSWORD:-changeme}
- KEYCLOAK_USER=${KEYCLOAK_ADMIN_USERNAME:-admin}
- KEYCLOAK_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-changeme}
ports:
- 8080:8080
config to set for keycloak to remove port number from redirection url
When behind a reverse proxy, configure Keycloak properties:
PROXY_ADDRESS_FORWARDING=true
KEYCLOAK_FRONTEND_URL=http://keycloak.formsflow.ai/auth
You may also need to configure headers X-Forwarded-Proto and X-Forwarded-Host in Nginx.
I want to run Keycloak and to play with it. So I run a container in Docker with quay.io/keycloak/keycloak:20.0.1 image.
version: '3.8'
networks:
default-dev-network:
external: true
services:
keycloak:
container_name: keycloak
image: quay.io/keycloak/keycloak:20.0.1
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgresdb:5432/keycloak
KC_DB_USERNAME: postgres
KC_DB_PASSWORD: pass
KC_DB_SCHEMA: public
KC_HOSTNAME: localhost
KC_HTTPS_PORT: 8443
KC_HTTPS_PROTOCOLS: TLSv1.3,TLSv1.2
KC_HTTP_ENABLED: "true"
KC_HTTP_PORT: 8080
KC_METRICS_ENABLED: "true"
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
ports:
- 18080:8080
- 8443:8443
command: start-dev
networks:
- default-dev-network
Then I created a realm test-realm, a client test-client. So I want to request a bearer token for it. I run
curl \
-d 'client_id=test-client' \
-d 'client_secret=xajewuZlBHL75rpiPttHday8t34aOnYa' \
-d 'grant_type=client_credentials' \
'http://localhost:18080/auth/realms/test-realm/protocol/openid-connect/token'
and I get
{"error":"RESTEASY003210: Could not find resource for full path: http://localhost:18080/auth/realms/test-realm/protocol/openid-connect/token"}
I'm reading a documentation on https://www.keycloak.org but there're so many details there that I'm afraid it will take weeks to figure everything out. Maybe there's a shorter guide?
New versions of Keycloak (after the rewrite in Quarkus) removed the /auth context path.
You can either remove it from the url or set the property KC_HTTP_RELATIVE_PATH=/auth.
I need to setup the Keycloak docker server with the External postgres Database connection URL.
Here's my current yaml file content which is working with POstgres docker container image as mentioned
version: '3'
volumes:
postgres_data:
driver: local
services:
postgres:
image: postgres:11
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
ports:
- 5433:5432
keycloak:
image:jboss/keycloak:latest
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: keycloak
DB_SCHEMA: public
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
KEYCLOAK_LOGLEVEL: DEBUG
ROOT_LOGLEVEL: DEBUG
ports:
- 8080:8080
- 8443:8443
depends_on:
- postgres
I checked the official documentation for passing external DB connection URL.
But exactly didn't get what changes will be needed in YAML file
ref: https://hub.docker.com/r/jboss/keycloak/
I tried removing the Postgres and depends_on section from services and passed the Database connection details in Kecyloak environment section in yaml but it did not worked for me
Can anyone suggest the correct YAML file changes to use PostgresDB connection URL
Thank You.
Docker containers can see each other by their service name, so here service name postgres is actually the connection url for keycloak container.
version: '3'
volumes:
postgres_data:
driver: local
services:
postgres: # Service name
image: postgres:11
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
ports:
- 5433:5432
keycloak:
image: jboss/keycloak:latest
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres # <<< This is the address, change it to your external db ip/domain
DB_DATABASE: keycloak
DB_USER: keycloak
DB_SCHEMA: public
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
KEYCLOAK_LOGLEVEL: DEBUG
ROOT_LOGLEVEL: DEBUG
ports:
- 8080:8080
- 8443:8443
depends_on:
- postgres
It is possible to set forceBackendUrlToFrontendUrl as an environment variable in Kubernetes?
My problem is that the backend communication from pod to pod is over unencrypted HTTP. Keycloak (frontend) is only reachable over HTTPS.
The JWT has the "iss" claim https://......, and the service calls Keycloak to check this token. Keycloak says the token is invalid because the "issues" is invalid - and yes, it is right, https is not http.
I think i must set the variable forceBackendUrlToFrontendUrl from the Keycloak documentation, but I have no idea how I can set this in Kubernetes.
I had a similar problem, configuration below is working for me:
Keycloak:
Outside: https://keycloak.mydomain.com
Inside: https://keycloak.namespace.svc:8443
- Keycloak Container Env variables:
env:
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_FRONTEND_URL
value: https://keycloak.mydomain.com/auth/
---
Frontend:
Outside: https://myfrontend.com
Inside: http://myfrontend.namespace.svc:8080
- Keycloak.json: "url": "https://keycloak.mydomain.com/auth",
- Keycloak Admin Console:
- frontend-client: RootURL: https://myfrontend.com
---
Backend:
Outside: https://myfrontend.com/api
Inside: http://mybackend.namespace.svc:8080
- Keycloak Admin Console:
- backend-client: RootURL: http://mybackend.namespace.svc:8080
This is a spring boot application:
- application.yml
spring
security:
oauth2:
client:
provider:
keycloak:
authorization-uri: "https://keycloak.mydomain.com/auth/realms/<realm>/protocol/openid-connect/auth"
jwk-set-uri: "https://keycloak.namespace.svc:8443/auth/realms/<realm>/protocol/openid-connect/certs"
token-uri: "https://keycloak.namespace.svc:8443/auth/realms/<realm>/protocol/openid-connect/token"
user-info-uri: "https://keycloak.namespace.svc:8443/auth/realms/<realm>/protocol/openid-connect/userinfo"
issuer-uri: "https://keycloak.mydomain.com/auth/realms/<realm>"
Greeting,
I'm a beginner is learning web authentication, and would like to try with tomcat and keycloak in docker compose. I put them in one docker-compose.yml as follows:
version: '2'
services:
postgres:
image: postgres
ports:
- "5432:5432"
environment:
POSTGRES_DATABASE: 'keycloak'
POSTGRES_USER: 'keycloak'
POSTGRES_PASSWORD: 'keycloak'
POSTGRES_ROOT_PASSWORD: 'test'
volumes:
- ./postgres:/mnt/shares/postgres
keycloak:
image: jboss/keycloak-postgres
ports:
- "800:8080"
links:
- postgres
environment:
POSTGRES_PORT_5432_TCP_ADDR: 'postgres'
POSTGRES_DATABASE: 'keycloak'
POSTGRES_USER: 'keycloak'
POSTGRES_PASSWORD: 'keycloak'
KEYCLOAK_USER: 'admin'
KEYCLOAK_PASSWORD: 'admin'
POSTGRES_ROOT_PASSWORD: 'test'
depends_on:
- postgres
volumes:
- ./keycloak:/mnt/shares/keycloak
tomcat_keycloak:
build: .
ports:
- "880:8080"
volumes:
- ./web:/mnt/shares/web
- ./scratches:/mnt/shares/scratches
This can launch fine. Next I created the realm, client, and user in the keycloak, obtained a keycloak.json for tomcat as follows:
{
"realm": "TestRealm",
"auth-server-url": "http://192.168.208.130:800/auth",
"ssl-required": "external",
"resource": "test-client",
"public-client": true,
"use-resource-role-mappings": true
}
where 192.168.208.130 is my host ip address. Then I tried a static web link in my tomcat server. I could be redirected to the keycloak login page. But after entering user name and password, I got HTTP status 403. In the keycloak events I saw the logon was successful, and a session was established. I checked the tomcat output, and then found the following:
07-Apr-2017 17:37:04.240 INFO [http-apr-8080-exec-4] org.apache.http.impl.client.DefaultHttpClient.tryConnect I/O exception (java.net.NoRouteToHostException) caught when connecting to {}->http://192.168.208.130:800: No route to host (Host unreachable)
Looks like from my tomcat container, I cannot do HTTP client connection to my keycloak server container via the URL in host ip address. I can ping the host ip from the tomcat container though.
Could you help me to find out what I'm missing in this configuration? Really appreciate.