New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scim plugin behind reverse proxy that strips a path prefix makes the scim console unaccessible #102
Comments
Hi which version did you install exactly? This happens normally under two different conditions:
The error in the comparison is normally the protocol that it is http instead of https or vice versa. |
Thanks for the fast reply, Plugin version: scim-for-keycloak-kc-23-1.5.0-RC1-enterprise.jar Env-vars in the container:
Keycloak startup message:
When navigating the link, the error message is:
The was used instead url is exactly the one I would expect. The landing page links to With /Hartmut |
I see, what is the problem. I will check later again in the sourcecode if I can fix this without workarounds. Until then I would recommend that you simply adjust the keycloak relative path until then: KC_RELATIVE_PATH=/login The context-path is read using the hostname-provider from keycloak itself: HostnameProvider hostnameProvider = keycloakSession.getProvider(HostnameProvider.class);
String contextPath = hostnameProvider.getContextPath(keycloakUriInfo, UrlType.ADMIN) So I am not reading the configuration manually. I am just using what keycloak already provides. For this reason I will need to check this in detail. I could try to remove the context-path in such checks. But I would prefer not to. Is it an option for you to set KC_RELATIVE_PATH? And I will see that I find a clean solution for this in due time. |
Great! I do have a working system that I can go on using :-) This just bit me when I tried to get rid of the kc_relative_path. For the time being I will stick to the current situation. There is also another work-around available with slightly more complex reverse proxy rules exposing |
When the plugin is deployed with a KC container behind a reverse proxy (I'm using traefik) with a
/login
path prefix that the reverse proxy uses to select the KC container as target and strips from the URL that is passed to KC, then the plugin is not accessible.My KC-container is built with these env variables:
KC_HOSTNAME_URL=https://www.example.com/login KC_HOSTNAME_ADMIN_URL=https://www.example.com/login KC_HOSTNAME_PATH=/login
Keycloak itself works correctly at
https://www.example.com/login/
(showing the landing page) and.../login/admin/master/console/
logging in to the console. The link to the SCIM Administration Console directs tohttps://www.example.com/login/realms/master/scim/admin/frontend/
but leads to aWe are sorry... Page not found
from KC.The KC logs show this error message:
keycloak-1 | 2024-02-07 16:19:22,036 INFO [de.captaingoldfish.scim.sdk.keycloak.administration.AdministrationBaseEndpoint] (executor-thread-1) SCIM webadmin backend access was rejected. Only accessible under 'https://www.example.com/login' but 'https://www.example.com/login' was used instead
Everything works correctly when I remove the path prefix, or 'bake it into KC' with
KC_HTTP_RELATIVE_PATH=/login
, which I prefer not to do.The text was updated successfully, but these errors were encountered: