KeyCloak can not open Admin-Web-UI with the new V2 Runtime
Hello everyone,
When I updated the runtime of my KeyCloak instance to the new Runtime V2, I noticed that I could no longer access the Admin Web UI. It gets stuck at the loading circle "Loading the Admin UI". I didn't notice anything suspicious in the KeyCloak logs.
In the network console you can see that a call is leading to a 403.
(I don't know how this could be related to the runtime)
The user management UI doesn't work either (where users can manage their own information)
I get a message saying "failed to initialize keycloak"
(You can also see the 403 here in the network console)
My Dockerfile uses the same multi-run logic as here:
https://github.com/leonardochappuis/keycloak-docker/blob/master/Dockerfile
I hope someone knows what the cause is, because in the future
the V2 runtime is set.
Thanks in advance for your time
Solution:Jump to solution
there is no longer a need for the caddy proxy, can you please try deploying this pr
https://github.com/leonardochappuis/keycloak-docker/pull/3...
25 Replies
Project ID:
f751037a-ba7a-42ab-8a24-90e99fcd12d3f751037a-ba7a-42ab-8a24-90e99fcd12d3
I have now updated KeyCloak to the latest version, namely version 25.0.1.
Now I get a different error message:
"HTTPS required"
The logs say:
error="ssl_required"
This error only appears in the V2 runtime.
Has anything changed regarding SSL processing in the V2 runtime?
interesting, I will look into it later today
To clarify this :
I get the error described here (ssl_required)
when I open the standard login form for end users.
Basically, you can say that various things do not work under the V2 runtime, even with different KeyCloak versions.
The new edge Proxy-Feature also did not make a difference
i think, i found the solution. I will test it a little more and post it than here
OK, I've now made a small step forward:
If I set the KeyCloak parameter "Proxy Headers" to "forwarded" and no longer to "xforwarded" then at least the login page is displayed correctly again.
The login still doesn't work and I can't access the admin UI either.
Does the new runtime use new proxy headers?
Another new finding:
When redirecting from KeyCloak to my application,
the KeyCloak server is specified in the "iss" parameter in the URL.
The legacy runtime uses https.
The V2 runtime uses http.
This reinforces my suspicion that
the behavior regarding the forward headers has changed
the runtime and the edge proxy are separate systems, the runtime would have nothing to do with headers
OK, then the behavior surprises me even more.
I'll try to get the Caddy proxy to log the incoming HTTP headers to check
whether the forwarded headers change in any way
Solution
there is no longer a need for the caddy proxy, can you please try deploying this pr
https://github.com/leonardochappuis/keycloak-docker/pull/3
Nice, i will give it a try and post the results here
for what it's worth, I was able to reproduce the issue you described with a fresh template deploy, but I got it to work and was able to login after making the changes that I submitted in that PR
That's good to hear (:
I'm curious what causes these errors in the new runtime, but it's not worth going into the analysis if the PR fixes the problem
not sure the runtime is at fault here, we can't jump to such conclusions
jumping to conclusions like that has bit me in the past
It works now! Thanks for your support Brody!
Bought you some coffees ☕
thank you very much! I appreciate that
how can i mark your answer as the solution?
only mods/admins can
ahh, that explains it (:
update, my pr was merged and the template was updated!
Hello. I did not understand what was I supposed to do but just deployed this app I am not able to display the login page for some reason. It just tries to open and then giving this screen:
What is the problem you think? Thank you in advance!
change
KC_HOSTNAME="${{RAILWAY_PUBLIC_DOMAIN}}" to KC_HOSTNAME="https://${{RAILWAY_PUBLIC_DOMAIN}}"
@Obstkompost - can you update this on the template for future users?Thank you!
Hello Brody,
I have created a pull request here, which should hopefully make the template useable again.
https://github.com/leonardochappuis/keycloak-docker/pull/5
In the future it would probably be good if someone updated the template who also uses the template itself.
I have added a new parameter “KC_PROXY_HEADERS” to the pull request.
Does it have to be included here in the line so that it works:https://github.com/leonardochappuis/keycloak-docker/blob/master/Dockerfile#L3 ?
not sure, but it can't hurt