KeyCloak can not open Admin-Web-UI with the new V2 Runtime | Railway | Page 1

clever kelp Jun 22, 2024, 8:14 AM

#

Hello everyone,

When I updated the runtime of my KeyCloak instance to the new Runtime V2, I noticed that I could no longer access the Admin Web UI. It gets stuck at the loading circle "Loading the Admin UI". I didn't notice anything suspicious in the KeyCloak logs.

In the network console you can see that a call is leading to a 403.
(I don't know how this could be related to the runtime)

The user management UI doesn't work either (where users can manage their own information)

I get a message saying "failed to initialize keycloak"

(You can also see the 403 here in the network console)

My Dockerfile uses the same multi-run logic as here:

https://github.com/leonardochappuis/keycloak-docker/blob/master/Dockerfile

I hope someone knows what the cause is, because in the future
the V2 runtime is set.

Thanks in advance for your time

serene raptorBOT Jun 22, 2024, 8:14 AM

#

Project ID: f751037a-ba7a-42ab-8a24-90e99fcd12d3

clever kelp Jun 22, 2024, 8:15 AM

#

f751037a-ba7a-42ab-8a24-90e99fcd12d3

clever kelp Jun 22, 2024, 12:58 PM

#

I have now updated KeyCloak to the latest version, namely version 25.0.1.

Now I get a different error message:
"HTTPS required"
The logs say:
error="ssl_required"

This error only appears in the V2 runtime.
Has anything changed regarding SSL processing in the V2 runtime?

vestal yarrow Jun 22, 2024, 1:36 PM

#

interesting, I will look into it later today

clever kelp Jun 22, 2024, 2:12 PM

#

clever kelp I have now updated KeyCloak to the latest version, namely version 25.0.1. Now I...

To clarify this :
I get the error described here (ssl_required)
when I open the standard login form for end users.
Basically, you can say that various things do not work under the V2 runtime, even with different KeyCloak versions.

clever kelp Jun 23, 2024, 8:05 AM

#

The new edge Proxy-Feature also did not make a difference

clever kelp Jun 23, 2024, 8:26 AM

#

i think, i found the solution. I will test it a little more and post it than here

clever kelp Jun 23, 2024, 8:42 AM

#

OK, I've now made a small step forward:
If I set the KeyCloak parameter "Proxy Headers" to "forwarded" and no longer to "xforwarded" then at least the login page is displayed correctly again.
The login still doesn't work and I can't access the admin UI either.

Does the new runtime use new proxy headers?

clever kelp Jun 23, 2024, 10:08 AM

#

Another new finding:
When redirecting from KeyCloak to my application,
the KeyCloak server is specified in the "iss" parameter in the URL.
The legacy runtime uses https.
The V2 runtime uses http.
This reinforces my suspicion that
the behavior regarding the forward headers has changed

vestal yarrow Jun 23, 2024, 1:47 PM

#

the runtime and the edge proxy are separate systems, the runtime would have nothing to do with headers

clever kelp Jun 23, 2024, 3:02 PM

#

OK, then the behavior surprises me even more.
I'll try to get the Caddy proxy to log the incoming HTTP headers to check
whether the forwarded headers change in any way

vestal yarrow Jun 23, 2024, 3:04 PM

#

there is no longer a need for the caddy proxy, can you please try deploying this pr
https://github.com/leonardochappuis/keycloak-docker/pull/3

clever kelp Jun 23, 2024, 3:05 PM

#

vestal yarrow there is no longer a need for the caddy proxy, can you please try deploying this...

Nice, i will give it a try and post the results here

vestal yarrow Jun 23, 2024, 3:07 PM

#

for what it's worth, I was able to reproduce the issue you described with a fresh template deploy, but I got it to work and was able to login after making the changes that I submitted in that PR

clever kelp Jun 23, 2024, 3:09 PM

#

That's good to hear (:
I'm curious what causes these errors in the new runtime, but it's not worth going into the analysis if the PR fixes the problem

vestal yarrow Jun 23, 2024, 3:13 PM

#

not sure the runtime is at fault here, we can't jump to such conclusions

#

jumping to conclusions like that has bit me in the past

clever kelp Jun 23, 2024, 3:50 PM

#

It works now! Thanks for your support Brody!
Bought you some coffees ☕

vestal yarrow Jun 23, 2024, 4:02 PM

#

thank you very much! I appreciate that

clever kelp Jun 23, 2024, 4:09 PM

#

how can i mark your answer as the solution?

uncut hearthBOT Jun 23, 2024, 4:11 PM

#

Thank you for marking this question as solved!

Learn more

https://answeroverflow.com

vestal yarrow Jun 23, 2024, 4:11 PM

#

only mods/admins can

clever kelp Jun 23, 2024, 4:11 PM

#

ahh, that explains it (:

vestal yarrow Jun 24, 2024, 3:13 AM

#

update, my pr was merged and the template was updated!

marsh violet Oct 12, 2024, 8:26 PM

#

Hello. I did not understand what was I supposed to do but just deployed this app I am not able to display the login page for some reason. It just tries to open and then giving this screen:

#

#

#

What is the problem you think? Thank you in advance!

vestal yarrow Oct 12, 2024, 9:29 PM

#

change KC_HOSTNAME="${{RAILWAY_PUBLIC_DOMAIN}}" to KC_HOSTNAME="https://${{RAILWAY_PUBLIC_DOMAIN}}"

#

@clever kelp - can you update this on the template for future users?

marsh violet Oct 12, 2024, 10:18 PM

#

Thank you!

clever kelp Oct 17, 2024, 12:11 PM

#

Hello Brody,
I have created a pull request here, which should hopefully make the template useable again.
https://github.com/leonardochappuis/keycloak-docker/pull/5
In the future it would probably be good if someone updated the template who also uses the template itself.

#

I have added a new parameter “KC_PROXY_HEADERS” to the pull request.
Does it have to be included here in the line so that it works:https://github.com/leonardochappuis/keycloak-docker/blob/master/Dockerfile#L3 ?

#KeyCloak can not open Admin-Web-UI with the new V2 Runtime