Reputation: 43
Cannot access Keycloak account-console in Kubernetes (403)
I have found a strange behavior in Keycloak when deployed in Kubernetes, that I can't wrap my head around.
Use-case:
- login as admin:admin (created by default)
- click on Manage account
(manage account dialog screenshot)
I have compared how the (same) image (quay.io/keycloak/keycloak:17.0.0) behaves if it runs on Docker or in Kubernetes (K3S).
If I run it from Docker, the account console loads. In other terms, I get a success (204) for the request
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=account-console
From the same image deployed in Kubernetes, the same request fails with error 403. However, on this same application, I get a success (204) for the request
GET /realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console
Since I can call security-admin-console, this does not look like an issue with the Kubernetes Ingress gateway nor with anything related to routing.
I've then thought about a Keycloak access-control configuration issue, but in both cases I use the default image without any change. I cross-checked to be sure, it appears that the admin user and the account-console client are configured exactly in the same way in both the docker and k8s applications.
I have no more idea about what could be the problem, do you have any suggestion?
Upvotes: 4
Views: 3923
Answers (5)
Reputation: 46
I had the same issue, and solved it by adding the correct origin to the account-console client in the keycloak UI. Clients -> account-console -> Web origins
Upvotes: 1
Reputation: 820
I had similar issue and was using Nginx as proxy for HTTPS.
The admin web console got stuck with 403 loading:
/realms/master/protocol/openid-connect/login-status-iframe.html/init
I fixed it by adding these Nginx lines for KeyCloak location configuration.
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
Upvotes: 0
Reputation: 97
I am able to resolve the issue with the following environment variables my Keycloak version is 23.0.4:
- name: KC_HOSTNAME
value: subdomain.domain.com
- name: KC_HOSTNAME_ADMIN_URL
value: https://subdomain.domain-name.com/
- name: KC_HTTP_ENABLED
value: 'false'
- name: KC_HOSTNAME_STRICT
value: 'true'
- name: KC_HOSTNAME_STRICT_HTTPS
value: 'true'
- name: KC_PROXY
value: edge
Upvotes: 1
Reputation: 1284
So we found that it was the nginx ingress controller causing a lot of issues. While we were able to get it working with nginx, via X-Forwarded-Proto etc., but it was a bit complicated and convoluted. Moving to haproxy instead resolved this problem. As well, make sure you are interfacing with the ingress controller over https or that may cause issues with keycloak.
annotations:
kubernetes.io/ingress.class: haproxy
...
Upvotes: 0
Reputation: 100
Try to set ssl_required = NONE in realm table in Keycloak database to your realm (master)
Upvotes: 1
Related Questions
- Cannot connect to keycloak admin panel
- Connection Refused when trying to load keycloak on the browser after deployed it on Kubernetes successfully
- How to configure keycloak in kubernetes?
- Unable to login with newly created user in keycloak
- Keycloak in Kubernetes: 503 Service Temporarily Unavailable
- Keycloak setup on Kubernetes
- Keycloak http-management returns Connection refused
- Keycloak API returns 401 unauthorized sometimes
- Connection refused when connecting to keycloak container from backend container
- Keycloak server authentication wrong behaviour from a Docker app