Keycloak 20.0.1 initial install/config on server w/o GUI

[RG]

I am following the getting started guides but have no luck initially accessing the admin console to setup my installation of Keycloak 20.0.1. The guides all suggest opening http://localhost:8080 which is not possible when you install Keycloak on a server - opening the URL via lynx not work - Welcome page loads, but navigating to the Admin Console says: "You need JavaScript". 

Wondering why Keycloak install guides do not consider someone installing this thing on a regular server without having access to a GUI I moved on setting up a reverse proxy to make localhost available under a URL I can actually open in a regular web browser:

What I did:

• set up nginx reverse proxy with ssl, so localhost:8080 is exposed via https://keycloak.mydomain.com
• run keycloak via docker: docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.1 start-dev --hostname=keycloak.mydomain.com --proxy edge
• I also tried w/o the --proxy param

Result is:

• I can see the welcome page under https://keycloak.mydomain.com
• I see the link to the "Administration Console
  " goes to "http://0.0.0.0:8080/admin/" (thought the --hostname param would change this?)
  
• I try to manually navigate to https://keycloak.mydomain.com/admin/ which redirects me to "https://keycloak.mydomain.com/admin/master/console/" and displays a spinner with message "Loading the admin console" staying there until eternity
• There's an "Uncaught in Promise" on the JS Console in the Browser with a Message "Timeout when waiting for 3rd party check iframe message."

As I am out of bullets now: can someone pleas provide pointers how to initially set up Keycloak 20.0.1 on a regular server CLI only? ... or at leas how to access the admin console? Thank you!

[gilles.etc...@gmail.com]

Hello,

>As I am out of bullets now: can someone pleas provide pointers how to initially set up Keycloak 20.0.1 on a regular server CLI only? ...

Keycloak installation and configutation can be made in CLI mode.
Some technical parameter can be configured at build or run time (context-root, proxymode, logging, ...)

But the functionnal configuration must be made via call to the admin-rest API via  curl calls

  ==> I mean the realm creation, the session length, the flow confgiuration

Using the admin console is the easier way to perform functionnal configuration, but you can record the http calls and automate them with curl calls.

In my experience, we use the admin console on dev environnement and prepare scrip with curls (or postman envelop) to deploy the configuration on other envs

> or at leas how to access the admin console? Thank you!

In your setup, with an HTTPS proxy in front, you can give a try to launch you KC with a --proxy=edge(https://www.keycloak.org/server/reverseproxy)

Or, if you want to access http://localhost:8080/admin/master/console, launch KC with the following env vars :
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=false #For local access to console admin in start mode
- KC_HTTP_ENABLED=true

[RG]

Thanks Gilles! I highly appreciate your taking time to respond, however...

 

 ==> I mean the realm creation, the session length, the flow confgiuration

Using the admin console is the easier way to perform functionnal configuration, but you can record the http calls and automate them with curl calls.

I really would like to use the admin console on the web - that's my problem: i cannot access it the way it is set up (non-loncalhost)

 

> or at leas how to access the admin console? Thank you!

In your setup, with an HTTPS proxy in front, you can give a try to launch you KC with a --proxy=edge(https://www.keycloak.org/server/reverseproxy)

That's what I am already doin - cf. command above ;) 

Or, if you want to access http://localhost:8080/admin/master/console, launch KC with the following env vars :

- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=false #For local access to console admin in start mode
- KC_HTTP_ENABLED=true

The server is a vServer on the internet, I can't do localhost. Via the Server's IP it also does not work (even when setting it as hostname on keycloak).

That's what I mean ... Am I the only person wanting to install and configure the Keycloak server on a machine I have no physical access to? Really have the feeling of missing something very simple here...

[gilles.etc...@gmail.com]

Sorry, I misunderstood your needs (and miss you test with proxy=edge)

We are moving from a legacy to a KC X distribution and soon, will have to deploy on an openshift cluster.

==> I will be able to test the proxy setings on the X version and maybe will be able to give you our configuration

[gilles.etc...@gmail.com]

Just in case : as you start in dev mode "start-dev",. this mode set the hostname-strict=false, can you try to remove the --hostname=keycloak.mydomain.com  ?

run keycloak via docker: docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.1 start-dev --proxy edge

[gilles.etc...@gmail.com]

or... :

1 - keep the hostname
2 - but use "start" instead of "start-dev"

[gilles.etc...@gmail.com]

and, the nginx must be configured to set some header to your KC server (which we used withe the legacy version of KC ) : see https://stackoverflow.com/questions/44624844/configure-reverse-proxy-for-keycloak-docker-with-custom-base-url

particularly, the header "Host" is used on order to generate some URLs

[gilles.etc...@gmail.com]

I have found my old compose file to emulate and test proxy configuration on a local docker.

I manage to make the proxy conf to work on a "start" deployment : withe the following config :

      - KC_HOSTNAME_STRICT=false
      - KC_HOSTNAME_STRICT_HTTPS=false

The file used are attached and the instance can be launched with :
 docker compose -f docker-compose.testPort-testX.yml up -d

localhost:8082 => get through the nginx instance

localhost:9080 => direct access

And you can access to the admin console

[RG]

Thanks again, Gilles! 

I did run the docker command as you suggested, also leaving --hostname param in or not did not make a difference. BUT your hint regarding the header in the nginx reverse proxy seemed like a good guess, so I tried your config in nginx (thanks so much for the files!) and... finally, it works!

After some fiddling around these apparently are the minimum headers, the nginx proxy needs to hand over to Keycloak:

    location / {
        proxy_pass http://0.0.0.0:8080;

        proxy_set_header    X-Forwarded-Host   $host;
        proxy_set_header    X-Forwarded-Port   $server_port;
        proxy_set_header    X-Forwarded-Proto  $scheme;
    }

I can now navigate to the admin console as intended, login works as well.

You really made my day, thanks a lot for your time and all the hints!

[RG]

Now that everything works I re-read the docs and found necessary info there too. I had seen this page before but did not read thoroughly enough:

https://www.keycloak.org/server/reverseproxy

It clearly says:

• Set the X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host HTTP headers

... Take extra precautions to ensure that the X-Forwarded-For header is set by your reverse proxy

So I did set this one too. Thanks again for your help!