仓库指标
- Star
- (34,398 star)
- PR 合并指标
- (平均合并 6天 19小时) (30 天内合并 384 个 PR)
描述
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
I set up a Keycloak service with 2 instances on a locally-hosted Kubernetes cluster. I set the required env variables for a Keycloak behind a proxy in K8s:
KC_HOSTNAME="http://company.url:9090" KC_HOSTNAME_ADMIN="http://admin.url:9090" KC_HOSTNAME_BACKCHANNEL_DYNAMIC="true" KC_PROXY_HEADERS="xforwarded" KC_HTTP_ENABLED="true"
When I access http://company.url:9090/realms/test-rest-client/.well-known/openid-configuration, I get the following output (have cut some of the lines):
{
"issuer": "http://company.url:9090/realms/test-rest-client",
"authorization_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/auth",
"token_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token",
"introspection_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/logout",
"jwks_uri": "http://company.url/realms/test-rest-client/protocol/openid-connect/certs",
"check_session_iframe": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/login-status-iframe.html",
"registration_endpoint": "http://company.url/realms/test-rest-client/clients-registrations/openid-connect",
"revocation_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/revoke",
"device_authorization_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/auth/device",
"backchannel_authentication_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/ciba/auth",
"pushed_authorization_request_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/par/request",
"mtls_endpoint_aliases": {
"token_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token",
"revocation_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/revoke",
"introspection_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token/introspect",
"device_authorization_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/auth/device",
"registration_endpoint": "http://company.url/realms/test-rest-client/clients-registrations/openid-connect",
"userinfo_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/userinfo",
"pushed_authorization_request_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/par/request",
"backchannel_authentication_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/ciba/auth"
}
}
As you can see, some of the URLs contain the port :9090, but some don't. I couldn't find this bug addressed anywhere and it's present on the latest version 26.5.7.
Version
26.5.7
Regression
- The issue is a regression
Expected behavior
All URLs should contain the port number as it was provided in KC_HOSTNAME.
Actual behavior
About half of the URLs contain the port number.
How to Reproduce?
Run Keycloak in a local Kubernetes cluster with these variables set accordingly:
KC_HOSTNAME="http://company.url:9090" KC_HOSTNAME_ADMIN="http://admin.url:9090" KC_HOSTNAME_BACKCHANNEL_DYNAMIC="true" KC_PROXY_HEADERS="xforwarded" KC_HTTP_ENABLED="true"
Create a test client and visit its OIDC configuration URL: http://HOST:9090/realms/<CLIENT_NAME>/.well-known/openid-configuration
Anything else?
No response