Keycloak on AWS ECS with AWS Application Load Balancer and a custom domain

fwhenin · May 19, 2022, 3:39pm

Hi, I’ve been banging my head against my desk for a few days on this issue and I’m not quite sure what to do now

I created a custom Keycloak Image with the following DockerFile

FROM quay.io/keycloak/keycloak:latest as builder

ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
ENV KC_DB=postgres
RUN /opt/keycloak/bin/kc.sh build

WORKDIR /opt/keycloak
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

I then deployed it to ECS using the following Environment Variables

KC_PROXY: "edge",
KC_HOSTNAME: `customdomain`,
KC_HOSTNAME_STRICT: "false",
KC_HOSTNAME_STRICT_BACKCHANNEL: "true",
KC_LOG_LEVEL: "DEBUG"
KEYCLOAK_ADMIN: 'admin',
KEYCLOAK_ADMIN_PASSWORD: 'Nunya',
KC_DB_URL_HOST: 'Nunya',
KC_DB_URL_PORT: 'Nunya',
KC_DB_USERNAME: 'Nunya',
KC_DB_PASSWORD: 'Nunya',
DB_NAME: 'Nunya',

I then mapped a Route53 domain to it with local.domain.com. When I access local.domain.com, the welcome page loads. when I go to customdomain/realms/master/.well-known/openid-configuration, all the urls look perfect.

Here’s where the issue happens,

when I click on the “Adminstration Console” in the welcome page, I get routed to 0.0.0.0/admin/
If i go to customdomain/admin, I get routed to 0.0.0.0/admin/master/console/.
If i go to customdomain/admin/master/console/ I get routed to keycloak with a Invalid parameter: redirect_uri
I can get the login page by setting the redirect_uri query parameter to 0.0.0.0, but of course when I login, it again goes to 0.0.0.0

I don’t know what to do, I have just been living in trial and error mode for a few days. Help would be much appricated

jangaraj · May 19, 2022, 6:44pm

I would try to play with http-host config All configuration - Keycloak

bisley · August 23, 2024, 8:36pm

Hey @fwhenin did you ever get to the bottom of this configuration issue? I’m going onto day two of trying to run keycloak in an eks cluster behind an amazon application loadbalancer and I think I need similar configuration as to what you were looking for in this post.

bisley · August 26, 2024, 4:27pm

Sorted out my issue - turned out to be a known issue with the codecentric/keycloakx helm chart. I think after the issue is resolved I’ll be able to migrate some of the variables set in the command field back into easier to manage locations of the helm chart but for now they need to be included there to be set as intended.

For perpetuity the config I ended up using deviated from the codecentric/keycloakx postgres example in the following ways.

# Optionally override the fully qualified name
fullnameOverride: "keycloak"
command:
  - "/opt/keycloak/bin/kc.sh"
  - "--verbose"
  - "start"
  - "--hostname=https://custom.uri.com/auth"
  - "--http-port=8080"
  - "--hostname-strict=false"
  - "--spi-events-listener-jboss-logging-success-level=info"
  - "--spi-events-listener-jboss-logging-error-level=warn"

ingress:
  # If `true`, an Ingress is created
  enabled: true
  # The name of the Ingress Class associated with this ingress
  ingressClassName: "alb"
  # The Service port targeted by the Ingress
  servicePort: http
  # Ingress annotations
  annotations: 
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:aws-region-0:111111111111:certificate/abc-123-4d56-e7fg-8hi9-0-12jkl345m67n, arn:aws:acm:ca-central-1:111111111111:certificate/abc-123-4d56-e7fg-8hi9-0-12jkl345m67n, arn:aws:acm:ca-central-1:111111111111:certificate/abc-123-4d56-e7fg-8hi9-0-12jkl345m67n
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=180
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/subnets: subnet-abcd1234,subnet-abcd1234,subnet-abcd1234
    alb.ingress.kubernetes.io/success-codes: 200-399
    alb.ingress.kubernetes.io/tags: UniqueKey=uniqueValue
    alb.ingress.kubernetes.io/target-type: ip
    kubernetes.io/ingress.class: alb

  # Additional Ingress labels
  labels: {}
   # List of rules for the Ingress
  rules:
    -
      # Ingress host
      host: custom.uri.com
      # Paths for the host
      paths:
        # - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/'
        - path: '/auth/'
          pathType: Prefix
  # TLS configuration
  tls:
    - hosts:
        - custom.uri.com

replace custom.uri with your uri
replace certificiate arns with your own (you probably will have less than my example)
- replace aws-region-0 with the region
- replace 111111111111 with the account number
- replace abc-123-4d56-e7fg-8hi9-0-12jkl345m67n with the correct identity for your amazon certificate manager certificate to use
- replace subnet-abcd1234 with the subnets you’d like the alb to route
optionally replace UniqueKey=uniqueValue with key value pairs you’d like included on the alb

Hopefully this saves someone time in the future.

Topic		Replies	Views
Keycloak with load balancer AWS Configuring the server	3	1427	October 23, 2024
AWS + ECS + ALB + HTTPS but Securing applications	4	3446	January 4, 2021
How to configure AWS Classic load balancer for keycloak service? Securing applications	3	4125	January 10, 2020
Keycloak 17.0.1 - EKS ALB Ingress	0	1006	April 26, 2022
18.0.0 in EKS + ALB (StatusCode 401 after auth) Configuring the server authentication , oidc	0	400	July 26, 2022

Keycloak on AWS ECS with AWS Application Load Balancer and a custom domain

Related topics