Like in the title: How to disable the requirement of https on Keycloak? Using only the terminal, as I can't log in to the administrator panel, because... there's no https.
You could change "Require SSL" in Realm settings, Login tab.
The options are
external requests
Keycloak can run out of the box without SSL so long as you stick to
private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x,
and 172..16.x.x. If you don’t have SSL/HTTPS configured on the server
or you try to access Keycloak over HTTP from a non-private IP adress
you will get an error.
none
Keycloak does not require SSL. This should really only be used in
development when you are playing around with things.
all requests
Keycloak requires SSL for all IP addresses.
The SSL mode for each realm can be configured in the Keycloak admin console.
Related
I am setting up Keycloack 18.0.0 behind AWS Application Load Balancer
Load Balancer listening on 443 (HTTPS) and forwarding requests to Port 8443, the default port of Keycloak.
Keycloak has been configured in production mode
I am using a self-signed certificate
Keycloak.conf image I have attached.
I also have added KEYCLOAK_ADMIN, and KEYCLOAK_ADMIN_PASSWORD in environment variables, please see attached screenshot of printenv command
With this I am able to access Keycloak home page but I am getting error
You need local access to create the initial admin user.
I also have added KEYCLOAK_ADMIN, and KEYCLOAK_ADMIN_PASSWORD
That's not correct. Keycloak must have those env variables configured, when it is starting, not your user.
I have set up Keycloak (docker container) on the GCP Compute Engine (VM). After setting the sslRequired=none, I'm able to access Keycloak over a public IP (e.g. http://33.44.55.66:8080) and manage the realm.
I have configured the GCP CLassic (HTTPS) Load Balancer and added two front-ends as described below. The Load Balancer forwards the request to the Keycloak instance on the VM.
HTTP: http://55.44.33.22/keycloak
HTTPS: https://my-domain.com/keycloak
In the browser, the HTTP URL works fine and I'm able to login to Keycloak and manage the realm. However, for the HTTPS URL, I get the below error
Mixed Content: The page at 'https://my-domain.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://my-domain.com/auth/js/keycloak.js?version=gyc8p'. This request has been blocked; the content must be served over HTTPS.
Note: I tried this suggestion, but it didn't work
Can anyone help with this, please?
I would never expose Keycloak on plain http protocol. Keyclok admin console itself is secured via OIDC protocol and OIDC requires to use https protocol. So default sslRequired=EXTERNAL is safe and smart configuration option from the vendor.
SSL offloading must be configured properly:
Keycloak container with PROXY_ADDRESS_FORWARDING=true
loadbalancer/reverse proxy (nginx, GCP Classic Load Balancer, AWS ALB, ...) with proper request header X-Forwarded-* configuration, so Keycloak container will know correct protocol, domain which is used for the users
I am connecting to Keycloak remotely. And when I try to open the Admin Console, I get an error saying HTTPS required.
In one of the websites, it says that I should do this: "update REALM set ssl_required='NONE' where id = 'master';"
But I do not know the consequences of doing this. Will this make it unsecure? Or can I reverse this?
Thank you
(And If I would run Keycloak within a docker image would this problem be solved?)
Admim console uses open id connect protocol, which needs HTTPS to be secure. So it isn't good idea to disable ssl in the prod environment.
Keycloak in the container doesn't solve your problem. But it provides user friendly approach to generate selfsigned cert - Keycloak Docker HTTPS required
Secure option is to generate valid TLS certificate and use it in your Keycloak instance, so you have valid secure TLS/HTTPS connection.
I've just setup Keycloak on Kubernets. Its working as expected only I have to port-forward into the Pod to access the web UI. If I access it from the internet as soon as I land on the login page I get the error Invalid parameter: redirect_uri
I get this accessing both the master and my application realm.
Keycloak allows non-HTTPS communication over private IP addresses like
localhost, 192.168.x.x, and other private IP addresses.
You might need to setup HTTPS/SSL
https://www.keycloak.org/docs/latest/server_installation/index.html#setting-up-https-ssl
I'm using the Keycloak authorization server in order to manage my application permissions. However, I've found out the standalone server can be accessed locally only.
http://localhost:8080/auth works, but not it does http://myhostname:8080/auth. This issue doesn't permit accessing the server from the internal network.
The standalone Keycloak server runs on the top of a JBoss Wildfly instance and this server doesn't allow accessing it externally by default, for security reasons (it should be only for the administration console, but seems to affect every url in case of Keycloak). It has to be booted with the -b=0.0.0.0 option to enable it.
However, if your Wildfly is running on a remote machine and you try to
access your administrative page through the network by it’s IP address
or hostname, let’s say, at http://54.94.240.170:8080/, you will
probably see a graceful This webpage is not available error, in
another words, Wildfly said “No, thanks, I’m not allowing requests
from another guys than the ones at my local machine”.
See also:
Enable Wildfly remote access
Wildfly remotely access administration console doesnt work
you can start keycloak server with this command
standalone.bat -b 0.0.0.0
For anyone who happens by here now, I found this in the documentation for Keycloak 8:
Users can interact with Keycloak without SSL so long as they stick to
private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x,
and 172.16.x.x. If you try to access Keycloak without SSL from a
non-private IP address you will get an error.
This is how you can disable it from the admin console, just click on your realm, and make the mentioned option.
Note: Don't forget the following
standalone.bat -b 0.0.0.0