Use authServerUrl instead of authUrl to initialize keycloak client (#2703)

[thomasdarimont]

Previously, the admin-console did not initialize properly when users configured the admin-hostname different from the frontend-hostname.

E.g:
--hostname: id.acme.test
--hostname-admin: admin.acme.test

produces an environment like:
...

• ´authUrl: https://admin.acme.test:8443/auth/...´
• ´authServerUrl: https://id.acme.test:8443/auth/...´

Since authUrl was used, the admin-client tried to create an 3p-check-iframe from
https://admin.acme.test:8443/auth/... which is not allowed since only `https://id.acme.test:8443/auth/...´ is allowed.

Using the authServerUrl ensures that the correct IdP url is used.

Fixes keycloak/keycloak#18244

Signed-off-by: Thomas Darimont thomas.darimont@googlemail.com

Motivation

Brief Description

Verification Steps

Checklist:

• Code has been tested locally by PR requester
• User-visible strings are using the react-i18next framework (useTranslation)
• Help has been implemented
• axe report has been run and resulting a11y issues have been resolved
• Unit tests have been created/updated

Additional Notes

[thomasdarimont]

I just verified that this fix works in combination with keycloak/keycloak#12192.

If I start keycloak with the following command:

bin/kc.sh --verbose \                                                         
  start \          
  --auto-build \
  --hostname=id.acme.test \
  --hostname-port=8443 \
  --hostname-strict=true \
  --hostname-strict-https=true \
  --hostname-strict-backchannel=true \
  --hostname-admin=admin.acme.test \
  --http-enabled=true \
  --http-relative-path="auth" \
  --proxy=edge \
  --https-certificate-file=./acme.test+1.pem \
  --https-certificate-key-file=./acme.test+1-key.pem \
  --spi-events-listener-jboss-logging-success-level=info \
  --spi-events-listener-jboss-logging-error-level=warn \
  --features=admin2

(Note the different values for --hostname=id.acme.test and --hostname-admin=admin.acme.test)

I can access the admin console via: https://admin.acme.test:8443/auth/admin, which sends me to ``https://id.acme.test:8443/auth/realms/master/...` for login. After sign-in I get redirected to the admin-console under https://admin.acme.test:8443/auth/admin.

If no dedicated admin-hostname is set then the authServerUrl is determined as usual (from the request).

[cypress]

---

Test summary

344 • 0 • 11 • 0 • 0

---

Run details

Project	Keycloak Admin UI
Status	Passed
Commit	dc6e157
Started	May 26, 2022 7:32 PM
Ended	May 26, 2022 7:44 PM
Duration	11:25 💡
OS	Linux Ubuntu - 20.04
Browser	Chrome 101

View run in Cypress Dashboard ➡️

---

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

[ssilvert]

Thanks @thomasdarimont. As I understand it, we don't need to wait for keycloak/keycloak#12192 to be merged, right?

[thomasdarimont]

@ssilvert I think you are right :) Currently users can set a dedicated admin hostname via the hostname spi configuration, e.g. via env variable KC_SPI_HOSTNAME_DEFAULT_ADMIN=admin.acme.test.