Search code examples
dockersingle-sign-onkeycloak

dockerized keycloak 21 using a different port for admin console setting doesn't work

I am trying to run keycloak 21 on local machine to test.

Service port: 8080 default

Admin Console port: 8888 <- not working.

However, when I tried to access to the service with 8888 port, it's refused.

It seems like, the "KC_HOSTNAME_ADMIN_URL" isn't working correctly, or am I missing any other additional setting?

Is there anyone solved this issue? I've found older versions of keycloak had several discussions about this but no solution I found besides nginx reverse proxy.

shows different port for admin console

version: '3'

volumes:
  mysql_data:
      driver: local

services:
  mysql:
      image: mysql:5.7
      volumes:
        - mysql_data:/var/lib/mysql
      environment:
        MYSQL_ROOT_PASSWORD: root
        MYSQL_DATABASE: keycloak
        MYSQL_USER: keycloak
        MYSQL_PASSWORD: password
  keycloak:
      image: quay.io/keycloak/keycloak:21.0.1
      environment:
        DB_VENDOR: MYSQL
        DB_ADDR: mysql
        DB_DATABASE: keycloak
        DB_USER: keycloak
        DB_PASSWORD: password
        KEYCLOAK_USER: user
        KEYCLOAK_PASSWORD: keycloak
        KEYCLOAK_ADMIN: admin
        KEYCLOAK_ADMIN_PASSWORD: keycloak
        KC_HOSTNAME_ADMIN_URL: http://localhost:8888
        # KC_PORT_ADMIN: 8888            
      ports:
        - 8080:8080
        - 8888:8888
      depends_on:
        - mysql
      command: start-dev
      # command: start-dev --hostname-admin-url=http://127.0.0.1:8888
Solution

  • I think you have misunderstood the purpose of the KC_HOSTNAME_ADMIN_URL setting. This does not change the ports on which Keycloak is listening. It changes the hostname and port that Keycloak expects to see in requests for the admin console.

    Your configuration will work if you modify the ports section of your docker-compose.yaml, like this:

    keycloak:
    image: quay.io/keycloak/keycloak:21.0.1
    environment:
      DB_VENDOR: MYSQL
      DB_ADDR: mysql
      DB_DATABASE: keycloak
      DB_USER: keycloak
      DB_PASSWORD: password
      KEYCLOAK_USER: user
      KEYCLOAK_PASSWORD: keycloak
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: keycloak
      KC_HOSTNAME_ADMIN_URL: http://localhost:8888
    ports:
      - 8080:8080
      - 8888:8080
    depends_on:
      - mysql
    command: start-dev

    Note that we're mapping both host port 8080 and host port 8888 to container port 8080...but you will only be able to access the admin console using http://localhost:8888.

    I think the documentation on this topic is a little unclear, but the information is there if you read carefully. It says:

    By default, the URLs for the administration console are also based on the incoming request. However, you can set a specific host or base URL if you want to restrict access to the administration console using a specific URL. Similarly to how you set the frontend URLs, you can use the hostname-admin and hostname-admin-url options to achieve that.

    That is, the setting only impacts the URL used to access the console; it doesn't change the ports on which Keycloak is listening.