Olav Grønås Gjerde

profile image
Full stack system architect with passion for Unix, Java, Python and databases.
Twitter @olavgg
2 months ago

Keycloak 26 and stupid change if you run proxy=edge

Keycloak has with version 26 refactored a the configuration for proxy setup and I run Keycloak behind Nginx. The documentation for upgrading to version 26 mention this without highlighting it, and links to another document that explains how to change this. This change is so stupid, because it is 100% unnecessary. And all the awesome tutorials written by people over time and published on the web, are no longer working.

Basically proxy = edge is no longer working, you need to replace this with 2 options:

proxy-headers = xforwarded
http-enabled = true

For Keycloak 25, they introduced "http-management-port". The default keycloak.conf, does not include that property and the default port value is the same as Clickhouse use for http. Again, you need to spend 1 hour, understanding the error log, reading through the documentation to find the cause and fix. I may be nit picking here, but that configuration option should be included in the keycloak.conf

I love Keycloak, and I am grateful for the work by the developers. But I hate maintaining it because of stupid changes. They have several major releases every year, and there is no LTS. So users have to upgrade it all the time to get all the bug and security fixes. For every version forward, where the upgrade process is not crystal clear, I will write down why it is stupid and what you need to do to fix it.