@DGuhr Updated the guide.

@pedroigor sorry, forgot to mention the proxy guide. when none is not available anymore, we should remove it from the available modes here: https://www.keycloak.org/server/reverseproxy

@pedroigor think i spotted a bug, iirc the behaviour was different before:

scenario: run start-dev with https. want to access admin login after creating initial admin user.

0. create host entry for id.keycloak.test in local HOSTS
1. run ./kc.sh start-dev --hostname=id.keycloak.test --https-certificate-file=../conf/id.keycloak.test.pem --https-certificate-key-file=../conf/id.keycloak.test-key.pem --https-port=8555
2. access welcomepage using https://localhost:8555, create initial admin user
3. click on "Administration console" link

outcome: invalid redirect_uri, see screenshot. also it now opens with id.keycloak.test instead of localhost.

expected behaviour: login page for master realm opens with uri localhost:8555, as hostname-strict and hostname-strict-https are false in devmode and login is called from internal link.

Would be nice if we could check these also using automated tests (like assertAdminPage in the old testsuite), e.g. https://www.testcontainers.org/modules/webdriver_containers/ or using RestAssured.

@DGuhr Not really a bug because the client is not configured to allow that redirect URI. Try accessing using the hostname and it should work.

@pedroigor uh yes, absolutely right, my apologies. So then LGTM here :)

Not 100% sure we would not need a hostname-http-port and hostname-https-port, but if so could be done in another iteration i guess.

Please also update "Relevant options":

None is still an option

I'm having troubles having the admin GUI behind a proxy since 17.0.1. I'm not sure if it would be caused by this issue and if it is an issue or a feature.
The details for my scenario / investigations so far are described at discourse:
https://keycloak.discourse.group/t/keycloak-17-0-1-admin-console-on-edge-mode/14584

Should I be configuring something differently now?

@pedroigor I was using the hostname-admin to expose the admin console to our development team using cloudflared tunnel on a separate subdomain with the frontend endpoints behind a proxy with hostname-strict=true.

What is the recommended migration for this scenario?

edit: changing hostname-strict=false still gives a invalid_redirect_uri error
only header added by our admin tunnel is the Host header

@AllexVeldman Now the admin URLs are solely based on the request info. That also means obtaining the info from the HTTP headers forwarded by your proxy.

@pedroigor The redirect_url is correctly built, it's the request for the login form that does not accept the redirect_uri:

2022-04-26 11:32:58,360 WARN  [org.keycloak.events] (executor-thread-0) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=<ip>, error=invalid_redirect_uri, redirect_uri=https://subA.domain.com/auth/admin/master/console/

with keycloak.conf

hostname=subB.domain.com
hostname-admin=subA.domain.com
hostname-strict=false
hostname-strict-backchannel=false
http-relative-path=/auth

So my flow is

• https://subA.domain.com/auth/admin (admin endpoint)
• redirects to https://subA.domain.com/auth/admin/master/console/
• requests (frontend endpoint) https://subB.domain.com/auth/realms/master/protocol/openid-connect/auth?...redirect_uri=https%3A%2F%subA.domain.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F

I got it to work by setting the frontendUrl of the master domain as suggested in https://keycloak.discourse.group/t/frontendurl-and-adminurl-how-to-restrict-admin-console-to-internal-ip-only/2655

+1. It should also be possible to register the https://subA.domain.com/auth/admin/master/console/ as a valid redirect URI for the security-admin-console client.