Is there a way to use http basic authentication to control access to /admin/? I have a limitation on my proxy and this would probably be the most desirable workaround for me.
No, this is not possible. Additionally this would be the least secure way of doing authentication. And Keycloak is about doing secure and proper authentication.
If your proxy only support outdated and least secure ways of accessing resources, think about exchanging your infrastructure.
In this case, the purpose of http auth is not for authentication. Properly implemented, it prevents loading any resources before the authentication, so if there is a vulnerability discovered in Keycloak admin interface that does not require Keycloak user credentials, the interface could not be accessed without getting through http auth.
I agree that you can reduce the attack surface for a complex software as Keycloak by putting a less complex software in front of it.
But Keycloak itself implements basic auth and you can indeed use it for the admin console, only that there are more secure protocols for that, although more complex.
So, you could in theory put an apache server doing http basic auth in front of Keycloak. But, in theory you could also put a lighttpd doing the same in front of the apache in front of Keycloak.
My point is: if you are concerned by exposing the admin API on the internet, you should probably just keep it closed behind a firewall.
If you cannot do that you can put a reverse proxy in front of it (see the reverse proxy guide) and protect the /admin path with basic auth.
It’s true that a client can do BasicAuth with Keycloak.
But how did you achieve BasicAuth for the Admin UI? I never got this working and also, AFAIK, this isn’t intended to work due to security reasons. Additionally, from my investigations, as the Admin UI uses the Admin REST API, this needs a bearer token, I didn’t find information about how the admin REST API works with BasicAuth.