keycloak/keycloak

Keycloak port included in some but not all OIDC endpoints

Open

#47,817 创建于 2026年4月7日

在 GitHub 查看
 (1 评论) (2 反应) (1 负责人)Java (8,346 fork)batch import
area/oidchelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-clients

仓库指标

Star
 (34,398 star)
PR 合并指标
 (平均合并 6天 19小时) (30 天内合并 384 个 PR)

描述

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

I set up a Keycloak service with 2 instances on a locally-hosted Kubernetes cluster. I set the required env variables for a Keycloak behind a proxy in K8s:

KC_HOSTNAME="http://company.url:9090" KC_HOSTNAME_ADMIN="http://admin.url:9090" KC_HOSTNAME_BACKCHANNEL_DYNAMIC="true" KC_PROXY_HEADERS="xforwarded" KC_HTTP_ENABLED="true"

When I access http://company.url:9090/realms/test-rest-client/.well-known/openid-configuration, I get the following output (have cut some of the lines):

{
	"issuer": "http://company.url:9090/realms/test-rest-client",
	"authorization_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/auth",
	"token_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token",
	"introspection_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token/introspect",
	"userinfo_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/userinfo",
	"end_session_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/logout",
	"jwks_uri": "http://company.url/realms/test-rest-client/protocol/openid-connect/certs",
	"check_session_iframe": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/login-status-iframe.html",
	"registration_endpoint": "http://company.url/realms/test-rest-client/clients-registrations/openid-connect",
	"revocation_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/revoke",
	"device_authorization_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/auth/device",
	"backchannel_authentication_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/ciba/auth",
	"pushed_authorization_request_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/par/request",
	"mtls_endpoint_aliases": {
		"token_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token",
		"revocation_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/revoke",
		"introspection_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/token/introspect",
		"device_authorization_endpoint": "http://company.url:9090/realms/test-rest-client/protocol/openid-connect/auth/device",
		"registration_endpoint": "http://company.url/realms/test-rest-client/clients-registrations/openid-connect",
		"userinfo_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/userinfo",
		"pushed_authorization_request_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/par/request",
		"backchannel_authentication_endpoint": "http://company.url/realms/test-rest-client/protocol/openid-connect/ext/ciba/auth"
	}
}

As you can see, some of the URLs contain the port :9090, but some don't. I couldn't find this bug addressed anywhere and it's present on the latest version 26.5.7.

Version

26.5.7

Regression

  • The issue is a regression

Expected behavior

All URLs should contain the port number as it was provided in KC_HOSTNAME.

Actual behavior

About half of the URLs contain the port number.

How to Reproduce?

Run Keycloak in a local Kubernetes cluster with these variables set accordingly:

KC_HOSTNAME="http://company.url:9090" KC_HOSTNAME_ADMIN="http://admin.url:9090" KC_HOSTNAME_BACKCHANNEL_DYNAMIC="true" KC_PROXY_HEADERS="xforwarded" KC_HTTP_ENABLED="true"

Create a test client and visit its OIDC configuration URL: http://HOST:9090/realms/<CLIENT_NAME>/.well-known/openid-configuration

Anything else?

No response

贡献者指南