Overview

When deploying Keycloak behind Kong Gateway, you may encounter mixed content issues, particularly when accessing the administration console. This occurs when Keycloak attempts to load resources over HTTP instead of HTTPS, leading to browser security blocks.

Scenario

You can access Keycloak via your gateway route at https://{gateway}/auth, which displays the Keycloak entry point correctly. However, navigating to the administration console at https://{gateway}/auth/admin/master/console/ results in Keycloak trying to load CSS and JavaScript files over HTTP, causing mixed content errors.

Solution Steps

To resolve this, you need to configure Keycloak to recognize that it is behind a reverse proxy and to serve its resources over HTTPS. Below are the steps to achieve this:

1. Update Your Dockerfile

You will need to modify your Dockerfile to include a configuration script that sets the necessary parameters for Keycloak. Here’s an example Dockerfile:

FROM jboss/keycloak-postgres:3.2.1.Final

USER root

# Add configuration scripts
ADD config.sh /tmp/
ADD batch.cli /tmp/

# Execute the configuration script
RUN bash /tmp/config.sh

# Set permissions for OpenShift
RUN chown -R jboss:0 $JBOSS_HOME/standalone && \
    chmod -R g+rw $JBOSS_HOME/standalone

USER jboss
EXPOSE 8080

2. Create the Configuration Scripts

config.sh

This script sets up the environment for Keycloak:

#!/bin/bash -x

set -e

JBOSS_HOME=/opt/jboss/keycloak
JBOSS_CLI=$JBOSS_HOME/bin/jboss-cli.sh
JBOSS_MODE=${1:-"standalone"}
JBOSS_CONFIG=${2:-"$JBOSS_MODE.xml"}

echo "==> Executing..."
cd /tmp

$JBOSS_CLI --file=`dirname "$0"`/batch.cli

# Clean up history
/bin/rm -rf ${JBOSS_HOME}/${JBOSS_MODE}/configuration/${JBOSS_MODE}_xml_history/current

batch.cli

This script configures Keycloak to handle proxy settings correctly:

embed-server --std-out=echo

batch

/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)

run-batch
stop-embedded-server

3. Configure Kong Gateway

Ensure that your Kong Gateway is set up to redirect HTTP traffic to HTTPS. This can typically be done by configuring the route settings in your Kong deployment. For example:

- name: keycloak-route
  paths:
    - /auth
  strip_path: false
  methods:
    - GET
    - POST
  protocols:
    - https
  plugins:
    - name: redirect-https
      config:
        https_redirect_status_code: 301

Conclusion

After implementing these changes, Keycloak should correctly load its resources over HTTPS, eliminating mixed content issues. If problems persist, double-check your proxy settings and ensure that all configurations are correctly applied.

Feel free to reach out for further assistance if needed.