I have leveraged Keycloak in production mode behind nginx via docker-compose file in my Centos 8 machine. TLS is set in load balancer, not in the machine. But when I try to access admin console in browser with the credentials I provide (KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD) in docker-compose file, it gives "Invalid username or password." error.
docker-compose.yaml file:
nginx:
build: ./nginx/.
container_name: nginx
ports:
- "8443:80"
depends_on:
- keycloak
networks:
- keycloak_nginx_network
keycloak:
image: quay.io/keycloak/keycloak:23.0.4
container_name: keycloak
command: start
restart: always
ports:
- "8080:8080"
environment:
KC_DB: postgres
KC_DB_URL_HOST: postgres
KC_DB_URL_DATABASE: keycloak
KC_DB_PASSWORD: password
KC_DB_USERNAME: postgres_user
KC_DB_SCHEMA: public
KC_PROXY: edge
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KC_HOSTNAME_STRICT_HTTPS: "true"
KC_HOSTNAME_STRICT_BACKCHANNEL: "true"
KEYCLOAK_FRONTEND_URL: "some-url/auth"
KC_HOSTNAME_URL: some-url
KC_HOSTNAME_ADMIN_URL: some-url
depends_on:
postgres_keycloak:
condition: service_healthy
networks:
- keycloak_nginx_network
nginx.conf:
events {}
http {
server {
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header content-type "application/json";
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_pass http://keycloak:8080;
proxy_read_timeout 300s;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
}
}
}
When I enter username: admin & password: admin in browser, The error definition I get in docker logs:
WARN [org.keycloak.events] (executor-thread-1) type=LOGIN_ERROR, realmId=some-realm-id, clientId=security-admin-console, userId=null, ipAddress=some-ip, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=some-uri, code_id=some-code-id
1 row above this warning, it says:
INFO [org.keycloak.services] (main) KC-SERVICES0009: Added user 'some-user' to realm 'master'
I assume it is HTTPS related problem. Because when I give http links to KC_HOSTNAME_URL and KC_HOSTNAME_ADMIN_URL, it successfully signs in to the admin console.
Obviously I have already provided credentials but it keeps giving user_not_found error. I tried some of the suggested solutions like; destroying & recreating docker containers, naming username and password different than "admin" and "password" etc but none of them worked. Anyone who have solution for this?
For those who encounter this problem, my issue was:
proxy_set_header content-type "application/json";
line in nginx.conf file since Keycloak uses "application/x-www-form-urlencoded" content-type header most of its requests. Do not convert it to the "application/x-www-form-urlencoded" since you also need "application/json" header time to time. Just remove that line from configuration file and it should be fine.
Happy coding.