KC 21.0.1 containerized behind API Gateway : issue on admin login

Configuring the server
1

Hello,

I tried to find my solution myself in this forum and official documentation but I am starting to be fed up because I don’t find a solution :frowning: after 2 days of research and testing.

So here is the deal : I have an API gateway that is my central element of my system. I want that all client application pass through my API Gateway (for security purpose) so I am trying to configure my KC and my Gateway together. Note that my KC is containerized.

  • I exposed my KC through a FQDN and configure my container env var like I can reach my KC with : h ttp://myKeycloak.fr/keycloak/ (the proxy mode is passthrough)

  • My Api Gateway can be reach thanks to the IP adress like : h ttp://10.0.0.1:8080
    (Note port 8080 is mandatory because I have a listener on this Port 8080 with a policy to redirect on the KC’s FQDN like I add these headers : X-Forwarded-For = clientIpAdress + X-Forwarded-Host = 10.0.0.1 + X-Forwarded-Port = 8080 + X-Forwarded-Proto = http and then connect to the KC FQDN

  • I created a new REALM called myRealm with the following :

  • root url = h ttp://10.0.0.1:8080/keycloak

  • valid redirect URIs = h ttp://10.0.0.1:8080/keycloak/realms/myRealm/*

So when I reach my KC with web browser through my Api Gateway I can access the the web interface ( no errors) http://10.0.0.1:8080/keycloak/realms/myRealm/account#/

Then I click on Sign In top right button and it’s fine without any error.

2023_04_06_12_46_47_Se_connecter_à_ARIENE_Mozilla_Firefox
2023_04_06_12_46_47_Se_connecter_à_ARIENE_Mozilla_Firefox1660×926 74.3 KB

Here’s come issue : I type my login and password and I get a beautifull 404 error not found !

When I look my Api Gateway logs I can see my POST request /keycloak/realms/myRealm/login-actions/authenticate with a KC response 302 and Location parameter : http://10.0.0.1:8080/keycloak/realms/myRealm/account#/&state=abc&session_state=def&code=xyz

And then I can see immediatly in the same flow a new request from my API Gateway to my host API server 10.0.0.1 (I can imagine that the cause of this request is about previous Location ?) like : POST /keycloak/realms/myRealm/account#/&state=abc&session_state=def&code=xyz

So My Gateway catch this 2nd request and recall my policy for this new POST request but for this time only the X-Forwarded-For changed because the client is now 10.0.0.1 and the response of KC is : 404 Not found !

Update : If I do the same test on MASTER realm I got a 405 Not Allowed.

What I am doing wrong ?

please help :frowning: