Login/Register
"HTTPS required" while logging in to Keycloak as admin
Asked Answered
jboss7.xkeycloak
P

12

48

enter image description here

I am using Keycloak (version 1.0.4.Final) in JBOSS AS 7.1.1 server. The server is on Amazon AWS.

I am able to start the jboss server with keycloak. i can see the keycloak default screen while hitting the URL - ServerIP:8080/auth

But when i am clicking on the Administration Consolelink to go to the login screen. I am getting a page saying - HTTPS required

The server is on AWS, changing to "ssl-required" : "none", in General Adapter Config has not helped.

How to resolve this issue?

Edit: I was not getting this issue in keycloak-1.2.0.Beta1 version.

Piny answered 3/6, 2015 at 14:11 Comment(1)
Put note here, because most answers are focusing to disable ssl, which is totally in wrong direction. Jump to read the answer with port 8443Beech
G
63

I was running the key cloak inside a docker container, The keycloak command line tool was avaialble inside the keycloak container.

docker exec -it {contaierID} bash
cd keycloak/bin
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
./kcadm.sh update realms/master -s sslRequired=NONE

If the admin user is not created, then the user can be created via this command.

./add-user-keycloak.sh --server http://ip_address_of_the_server:8080/admin --realm master --user admin --password adminPassword

Update: For the newer versions the file in available in the following path: /opt/jboss/keycloak/bin

Gabardine answered 16/5, 2019 at 14:11 Comment(9)
kubectl exec -it keycloak-0 -- /bin/bash to get into container if anyone's using the Kubernetes Helm ChartLawerencelawes
It doesn't work for me. I get HTTPS required [invalid_request].Tjaden
For the newer versions the file in available in the following path: /opt/jboss/keycloak/binGabardine
@NirojanSelvanathan, your comment saves my day.. I can't find the keycloak folder in docker container. ThanksBullfrog
@NirojanSelvanathan your method works, pls update the comment details [regarding the newer versions] in the Answer itself. ThanksIncurious
i get [org.keycloak.events] (default task-1) type=LOGIN_ERROR after doing thisPaxton
@NirojanSelvanathan Thanks.Saved a lot of time for creating just a test system on EC2.Holzman
for keycloak 18+ cd /opt/keycloak/bin/ then don't use \auth, so the command will look like ./kcadm.sh config credentials --server http://xxx.xxx.xxx.xxx:8080 --realm master --user admin and then ./kcadm.sh update realms/master -s sslRequired=NONECaterer
for keycloack 21+ following thread worked for me bash-5.1$ cd ~/bin/ bash-5.1$./kcadm.sh config credentials --server localhost:8080 --realm master --user admin bash-5.1$ ./kcadm.sh update realms/master -s sslRequired=NONE --server localhost:8080 #70577504Faraday
P
51

If you want to disable it for your realm and have no possibility to use UI, do it directly on the database:

update REALM set ssl_required='NONE' where id = 'master';

Note - Restart keycloak for effect

Photography answered 2/2, 2017 at 12:32 Comment(8)
If you have only SSH access and Keycloak is running with embedded DB, you may use native DB client, e.g. for H2: java -cp <PATH TO H2>.jar org.h2.tools.Shell -url "jdbc:h2:file:<your DB>" -user <USER> -password <PASSWORD> -sql "update REALM set ssl_required='NONE' where id = 'master'"Vaclava
One also has to restart keycloak after doing this.Hanson
i get [org.keycloak.events] (default task-1) type=LOGIN_ERROR after doing thisPaxton
Using kcadm cli is the better solution and does not require a restartConcise
@VladimirSalin Error: org.h2.jdbc.JdbcSQLException: The database is read only; SQL statement: after executing update query. I used default username and password as "sa" , "sa"Nonunion
if you have quay.io/keycloak/keycloak:21 image, you can use this SQL script: UPDATE realm SET ssl_required='NONE' where name = 'master';Rabbinical
I did this and now login works. But the authentication flow still fails. It says "HTTPS required". Can I complete an auth flow with http or no ?Ancohuma
dumb mistake... I changed the setting in the db for the master and then proceded to create a new realm, and did not set it on this new realm. It is working nowAncohuma
W
21

You can use the keycloak command line admin tool to change the setting as long as it can authenticate to a local IP address. You can temporarily launch Keycloak on localhost to make this change.

kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
kcadm.sh update realms/realmname -s sslRequired=NONE

Obviously, make sure to replace realm names, username, port, etc as required.

For more information on getting started with the Admin CLI, see documentation: Server Administration: Admin CLI

Whit answered 31/8, 2017 at 19:5 Comment(2)
this is a better solution as it is not required to restart Keycloak (a docker container) in my caseHanson
running ./kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080 --realm master --user username helpedMoor
P
18

This is quite old and now on release versions (I am using Keycloak 1.9.3 demo / Developer bundle), however to save some poor soul some time....

Keycloak now defaults to HTTPS for all external IP addresses. Unfortunately, from what I can tell the Wildfly instance that comes with the demo bundle does NOT support HTTPS. Makes for a pretty insane default if you're installing Keycloak on a remote machine as there is effectively no way to access the Keycloak admin console out of the box.

At this point, you have two options; 1) Install HTTPS in Wildfly or 2) Tunnel via SSH into the remote machine and proxy your browser through it, go to the admin console and turn off the SSL requirement (Realm Settings -> Login -> Require SSL). This works because SSL is not required for local connections.

Remember to first create the admin user by going to $KEYCLOAK_HOME/keycloak/bin and running ./add-user-keycloak -r master -u <> -p <>. This add user script is not interactive like the Wildfly add user script is, you need to put it all on the command line.

Hope this helps!

Pixie answered 5/5, 2016 at 21:26 Comment(2)
what is the second option?Snocat
The 2nd option is to tunnel into the remote machine. I updated my answer so it's clear.Pixie
J
12

It's a bit late but I'm sure people will find this useful. If you are using docker to run keycloak, instead of forwarding port 8080, forward 8443 and it works like charm.

docker run -p 8443:8443 -e KEYCLOAK_USER=username -e KEYCLOAK_PASSWORD=password jboss/keycloak
Jori answered 2/11, 2020 at 13:50 Comment(4)
you have to access https[://]URL:8443. if still doesn't work, try downgrading the version of keycloakJori
the methd proposed by @Nirojan Selvanathan is working fineIncurious
Works with latest version 15.x. Try docker run -d --name keycloak -p 8443:8443 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 quay.io/keycloak/keycloak:15.0.1 Keycloak will auto-generate self-signed certificates. Access your site using HTTPS. Example - https://your-hostname:8443/auth/Nombril
This should be the accept answer, more than to avoid ssl setup by other solutions. By the way google chrome blocks you to access url https://your-hostname-keycloak:8443, switch to use other browsers , such as SafariBeech
H
3

Navigate to bin folder cd /opt/keycloak/bin/

and then run this command to disable ssl on realm "master"

./kcadm.sh config credentials --server http://x.x.x.x:8080 --realm master --user admin

./kcadm.sh update realms/master -s sslRequired=NONE
Hypercritical answered 28/2 at 10:18 Comment(0)
C
1

I testing in docker keycloak: probe that: Realm Settings -> Login -> Require SSL and put in off. or docker exec YOUR_DOCKER_NAME /opt/jboss/keycloak/bin/jboss-cli.sh --connect \ "/subsystem=undertow/server=default-server/http-listener=default:read-resource"

Canzone answered 9/7, 2019 at 3:16 Comment(0)
Y
1

If you are deploying keycloak on kubernetes you can try setting up following ENV VAR

spec:
  containers:
  - name: keycloak
    env:
    - name:  PROXY_ADDRESS_FORWARDING
      value: "true"
Yttrium answered 29/6, 2020 at 13:20 Comment(0)
A
1

Just a complete working docker-compose:

version: '3'

services:
  keycloak:
    image: jboss/keycloak:latest
    environment:
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
      - PROXY_ADDRESS_FORWARDING=true
      - DB_VENDOR=mysql
      - DB_ADDR=db
      - DB_PORT=3306
      - DB_DATABASE=keycloak
      - DB_USER=keycloak
      - DB_PASSWORD=example
    ports:
      - "8181:8080"
      - "9990:9990"
  db:
    image: mysql:5
    environment:
      MYSQL_ROOT_PASSWORD: example
      MYSQL_DATABASE: keycloak
      MYSQL_USER: keycloak
      MYSQL_PASSWORD: example
    volumes:
      - ../data-keycloak:/var/lib/mysql
    ports:
      - "3309:3306"

and then, execute in db:

update REALM set ssl_required='NONE' where name = 'master';

Of course, this is not for production unless you're using in a safe environment.

Aruspex answered 1/10, 2023 at 20:12 Comment(1)
For me the postgress db name was realm case sensitive.Cementation
C
0

try to connect the keycloak database and update the table

update REALM set ssl_required='EXTERNAL' where name = 'master';

then restart docker

docker compose restart
Canonize answered 18/1, 2023 at 6:34 Comment(0)
M
0

for keycloack 21+ following thread worked for me when I added http:// in front of server

cd ~/bin/ 
./kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin 
./kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080
Mercola answered 28/3 at 18:30 Comment(0)
W
0

This is what worked for me. I run this command docker run -d --name keycloak -p 8443:8443 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 quay.io/keycloak/keycloak:15.0.1 in the terminal. After, I open port 8443 in the security group. Now here is the catch! Before accessing my container on the browser, I enforce https://{IP} in the browser, once I hit enter the login page was opened. Hope. this helps!!

Weir answered 21/7 at 22:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.