Comments (4)
Great! I do have a working system that I can go on using :-) This just bit me when I tried to get rid of the kc_relative_path. For the time being I will stick to the current situation. There is also another work-around available with slightly more complex reverse proxy rules exposing /realms/
, /resources/
, /robots.txt
and optionally /js/
of the KC container (as described in the KC documentation Exposed path recommendations).
from scim-for-keycloak.
Hi which version did you install exactly?
Sorry for the log-message it does not show the URLs correctly. If you deploy the latest Release kc-22-1.5.0-RC1 or kc-21.1.2.2-RC1 you will get an appropriate errormessage.
This happens normally under two different conditions:
- reverse-proxy is communicating with keycloak over http and keycloak does not have the property
KC_PROXY=edge
set. - reverse-proxy is communicating with keycloak over https and keycloak does have the property
KC_PROXY=edge
set.
The error in the comparison is normally the protocol that it is http instead of https or vice versa.
from scim-for-keycloak.
Thanks for the fast reply,
Plugin version: scim-for-keycloak-kc-23-1.5.0-RC1-enterprise.jar
KC 23.0.6
KC is running in edge mode, proxy uses http
Env-vars in the container:
KC_HOSTNAME_STRICT_HTTPS=false
KC_PROXY=edge
KC_HOSTNAME_ADMIN_URL=https://www.example.com/login
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=password
KC_HOSTNAME_URL=https://www.example.com/login
KC_HOSTNAME_PATH=/login
KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak?ssl=all
KC_HOSTNAME_STRICT=false
KC_HTTP_ENABLED=true
Keycloak startup message:
keycloak-1 | 2024-02-07 19:50:17,961 INFO [org.keycloak.common.Profile] (main) Preview features enabled: account3, admin-fine-grained-authz, client-secret-rotation, declarative-user-profile, dpop, multi-site, recovery-codes, scripts, token-exchange, update-email
keycloak-1 | 2024-02-07 19:50:19,200 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: https://www.example.com/login, Hostname: www.example.com, Strict HTTPS: true, Path: /login, Strict BackChannel: false, Admin URL: https://www.example.com/login, Admin: www.example.com, Port: -1, Proxied: true
keycloak-1 | 2024-02-07 19:50:19,281 INFO [de.captaingoldfish.scim.sdk.keycloak.EnterpriseLoader] (main)
When navigating the link, the error message is:
keycloak-1 | 2024-02-07 19:51:42,881 INFO [de.captaingoldfish.scim.sdk.keycloak.administration.AdministrationBaseEndpoint] (executor-thread-1) SCIM webadmin backend access was rejected. Only accessible under 'https://www.example.com/login' but 'https://www.example.com/realms/master/scim/admin/frontend/' was used instead
The was used instead url is exactly the one I would expect. The landing page links to https://www.example.com/login/realms/master/scim/admin/frontend/
and the proxy strips the login
.
With KC_HTTP_RELATIVE_PATH
not set and KC_HOSTNAME_PATH=/login
, the plugin should not expect the /login
to be there.
/Hartmut
from scim-for-keycloak.
I see, what is the problem. I will check later again in the sourcecode if I can fix this without workarounds. Until then I would recommend that you simply adjust the keycloak relative path until then:
KC_RELATIVE_PATH=/login
The context-path is read using the hostname-provider from keycloak itself:
HostnameProvider hostnameProvider = keycloakSession.getProvider(HostnameProvider.class);
String contextPath = hostnameProvider.getContextPath(keycloakUriInfo, UrlType.ADMIN)
So I am not reading the configuration manually. I am just using what keycloak already provides. For this reason I will need to check this in detail. I could try to remove the context-path in such checks. But I would prefer not to.
Is it an option for you to set KC_RELATIVE_PATH?
And I will see that I find a clean solution for this in due time.
from scim-for-keycloak.
Related Issues (20)
- Seed initial configuration in keycloak HOT 4
- I don't see any source for some of the classes in enterprise source zip HOT 3
- I can't seem to get authentication for scim working HOT 2
- You may want to look at integrating this for the scim user federation part
- Issue with Use with Microsoft Azure AD wiki page HOT 2
- Parallel PATCH calls result in optimistic locking exception HOT 15
- Token Expiry Handling between OKTA and Keycloak HOT 4
- ResourceTypes and Realm Assignment Tabs are empty - Remote SCIM Provider Configuration HOT 9
- Azure-Patch Operation not working HOT 4
- scim-for-keycloak plugin free version HOT 4
- Group Leave SCIM Notification is not being Received at the Sample Spring Boot Project HOT 2
- Issue with UPDATE_PASSWORD action when using scim-for-keycloak HOT 4
- SCIM Client with Zscaler Internet Access - 404: No user with the id HOT 14
- Cannot uninstall SCIM Plugin on Keycloak 24.0.3 HOT 4
- SCIM and SSO Handling - Automatic Linking of User Created through SCIM and SSO HOT 2
- Group Membership Updates are not instantly pushed when the update is initiated from OKTA HOT 11
- Group Member Sync Failure HOT 2
- MS Entra (Azure) sends boolean values as a String with the capital first letter Issue HOT 4
- Endpoint Authentication Method Issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scim-for-keycloak.