All geek questions in one place

"HTTPS required" when logging into Keycloak as administrator

enter image description here

I am using Keycloak (version 1.0.4.Final) on JBOSS AS 7.1.1 server. The server is located on Amazon AWS.

I can start the jboss server using keycloak. I see the default screen for keycloak when hit the url - ServerIP:8080/auth

But when I click on the Administration Console link to go to the login screen. I get a message on the page: HTTPS required

The server is located on AWS, changing it to "ssl-required" : "none", in the General Adapter Config did not help.

How to solve this problem?

Edit: I did not get this problem in keycloak-1.2.0.Beta1 version.

+14
source share
7 answers

If you want to disable it for your area and are not able to use the interface, do it directly in the database:

 update REALM set ssl_required='NONE' where id = 'master';
+12
source

This is pretty old, and now in the release versions (I use the Keycloak 1.9.3 / Developer bundle demo package), but save a little bit ... [/ p>

Keycloak now uses HTTPS for all external IP addresses by default. Unfortunately, from what I can tell, the Wildfly instance that comes with the demo package does NOT support HTTPS. Makes for insane defaults if you install Keycloak on a remote computer, as there is no efficient access to the Keycloak admin console.

At this point you have two options; 1) Install HTTPS in Wildfly or 2) Tunnel via SSH to a remote computer and proxy your browser through it, go to the admin console and disable the SSL requirement (Realm β†’ Login β†’ Require SSL settings). This works because SSL is not required for local connections.

Remember to create the admin user first by going to $ KEYCLOAK_HOME / keycloak / bin and running it. / add -user-keycloak -r master -u <> -p <>. This additional script user is not interactive, as the Wildfly add script user, you need to put all this on the command line.

Hope this helps!

+10
source

You can use the keycloak command-line administration tool to change the setting if it can authenticate to the local IP address. You can temporarily run Keycloak on localhost to make this change.

 kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin kcadm.sh update realms/realmname -s sslRequired=NONE

Obviously, be sure to replace the realm names, username, port, etc. As needed.

For more information about getting started with the administrator CLI, see the Documentation: http://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html.

+9
source

I ran the cloak key in the dock container, the keycloak command line tool was available inside the cloak container.

 docker exec -it {contaierID} bash cd keycloak/bin ./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin ./kcadm.sh update realms/master -s sslRequired=NONE

If a user with administrator rights has not been created, then the user can be created using this command.

 ./add-user-keycloak.sh --server http://ip_address_of_the_server:8080/admin --realm master --user admin --password adminPassword
+5
source

Naive decision

If you google this , you will get a keyclayak user guide that tells you to install

  "ssl-required" : "none",

in the configuration of the common adapter. It says:

The default value is the external value that HTTPS is required for by default for external requests. Valid values ​​are 'all,' 'external,' and 'ni'.

(think before using this in production, though)

Alternative solution

In the mailing list, a problem arose and answered it

You can enable SSL on AWS (highly recommended!) Or change the settings through the admin console (you need to either use the SSL tunnel or https to do this, though).

For SSL on AWS, check out this link .

+2
source

Just go to the Keycloak admin console, click Realm Settings, go to Login, and then set SSL Requirement to none. Do this if you are still in the testing phase and have not yet implemented SSL.

0
source

I tested in Docker Keycloak: find out what: Area settings β†’ Login β†’ Require SSL and disable. or docker exec YOUR_DOCKER_NAME / opt / jboss / keycloak / bin / jboss-cli.sh --connect \ "/ subsystem = undertow / server = default-server / http-listener = default: read-resource"

0
source

Source: https://habr.com/ru/post/988456/

More articles:


All Articles