Scim plugin behind reverse proxy that strips a path prefix makes the scim console unaccessible

[benzht]

When the plugin is deployed with a KC container behind a reverse proxy (I'm using traefik) with a /login path prefix that the reverse proxy uses to select the KC container as target and strips from the URL that is passed to KC, then the plugin is not accessible.

My KC-container is built with these env variables:
KC_HOSTNAME_URL=https://www.example.com/login KC_HOSTNAME_ADMIN_URL=https://www.example.com/login KC_HOSTNAME_PATH=/login

Keycloak itself works correctly at https://www.example.com/login/ (showing the landing page) and .../login/admin/master/console/ logging in to the console. The link to the SCIM Administration Console directs to
https://www.example.com/login/realms/master/scim/admin/frontend/ but leads to a We are sorry... Page not found from KC.

The KC logs show this error message:
keycloak-1 | 2024-02-07 16:19:22,036 INFO [de.captaingoldfish.scim.sdk.keycloak.administration.AdministrationBaseEndpoint] (executor-thread-1) SCIM webadmin backend access was rejected. Only accessible under 'https://www.example.com/login' but 'https://www.example.com/login' was used instead

Everything works correctly when I remove the path prefix, or 'bake it into KC' with KC_HTTP_RELATIVE_PATH=/login, which I prefer not to do.

[Captain-P-Goldfish]

Hi which version did you install exactly?
Sorry for the log-message it does not show the URLs correctly. If you deploy the latest Release kc-22-1.5.0-RC1 or kc-21.1.2.2-RC1 you will get an appropriate errormessage.

This happens normally under two different conditions:

1. reverse-proxy is communicating with keycloak over http and keycloak does not have the property KC_PROXY=edge set.
2. reverse-proxy is communicating with keycloak over https and keycloak does have the property KC_PROXY=edge set.

The error in the comparison is normally the protocol that it is http instead of https or vice versa.

[benzht]

Thanks for the fast reply,

Plugin version: scim-for-keycloak-kc-23-1.5.0-RC1-enterprise.jar
KC 23.0.6
KC is running in edge mode, proxy uses http

Env-vars in the container:

KC_HOSTNAME_STRICT_HTTPS=false
KC_PROXY=edge
KC_HOSTNAME_ADMIN_URL=https://www.example.com/login
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=password
KC_HOSTNAME_URL=https://www.example.com/login
KC_HOSTNAME_PATH=/login
KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak?ssl=all
KC_HOSTNAME_STRICT=false
KC_HTTP_ENABLED=true

Keycloak startup message:

keycloak-1  | 2024-02-07 19:50:17,961 INFO  [org.keycloak.common.Profile] (main) Preview features enabled: account3, admin-fine-grained-authz, client-secret-rotation, declarative-user-profile, dpop, multi-site, recovery-codes, scripts, token-exchange, update-email
keycloak-1  | 2024-02-07 19:50:19,200 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: https://www.example.com/login, Hostname: www.example.com, Strict HTTPS: true, Path: /login, Strict BackChannel: false, Admin URL: https://www.example.com/login, Admin: www.example.com, Port: -1, Proxied: true
keycloak-1  | 2024-02-07 19:50:19,281 INFO  [de.captaingoldfish.scim.sdk.keycloak.EnterpriseLoader] (main)

When navigating the link, the error message is:

keycloak-1 | 2024-02-07 19:51:42,881 INFO [de.captaingoldfish.scim.sdk.keycloak.administration.AdministrationBaseEndpoint] (executor-thread-1) SCIM webadmin backend access was rejected. Only accessible under 'https://www.example.com/login' but 'https://www.example.com/realms/master/scim/admin/frontend/' was used instead

The was used instead url is exactly the one I would expect. The landing page links to https://www.example.com/login/realms/master/scim/admin/frontend/ and the proxy strips the login.

With KC_HTTP_RELATIVE_PATH not set and KC_HOSTNAME_PATH=/login, the plugin should not expect the /login to be there.

/Hartmut

[Captain-P-Goldfish]

I see, what is the problem. I will check later again in the sourcecode if I can fix this without workarounds. Until then I would recommend that you simply adjust the keycloak relative path until then:

KC_RELATIVE_PATH=/login

The context-path is read using the hostname-provider from keycloak itself:

HostnameProvider hostnameProvider = keycloakSession.getProvider(HostnameProvider.class);
String contextPath = hostnameProvider.getContextPath(keycloakUriInfo, UrlType.ADMIN)

So I am not reading the configuration manually. I am just using what keycloak already provides. For this reason I will need to check this in detail. I could try to remove the context-path in such checks. But I would prefer not to.

Is it an option for you to set KC_RELATIVE_PATH?

And I will see that I find a clean solution for this in due time.

[benzht]

Great! I do have a working system that I can go on using :-) This just bit me when I tried to get rid of the kc_relative_path. For the time being I will stick to the current situation. There is also another work-around available with slightly more complex reverse proxy rules exposing /realms/, /resources/, /robots.txt and optionally /js/ of the KC container (as described in the KC documentation Exposed path recommendations).