we are using keycloak as container (connected to another mysql container on same server) on hetzner ubuntu server. We have two stages – develop and staging. They differ in so far that staging has a nginx load balancer and uses HTTPS while develop doesnt have a load balancer and uses only HTTP.
This is my Dockerfile for develop:
FROM quay.io/keycloak/keycloak:21.0.0 as builder
ENV KC_DB=mysql
ADD ./themes/tediro /opt/keycloak/themes/tediro
RUN /opt/keycloak/bin/kc.sh build
FROM quay.io/keycloak/keycloak:21.0.0
COPY --from=builder /opt/keycloak/ /opt/keycloak/
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_HTTP_ENABLED=true
ENV KC_HOSTNAME=auth.d-tms.tediro.com
ENV KC_LOGLEVEL=ALL
ENV KC_DB=mysql
ENV KC_DB_URL=jdbc:mysql://mysql:3306/keycloak
ENV KC_DB_USERNAME=keycloak
ENV KC_DB_PASSWORD=xxx
ENV KC_ADMIN=admin
ENV KC_ADMIN_PASSWORD=xxx
ENV KC_FEATURES=admin-fine-grained-authz
ENV KC_CACHE=local
ENV PROXY_ADDRESS_FORWARDING=false
ENV JDBC_PARAMS="useSSL=false&allowPublicKeyRetrieval=true&connectTimeout=50000"
ENV JAVA_TOOLS_OPTIONS="-Djboss.as.management.blocking.timeout=30000"
ENV JAVA_OPTIONS="-Djboss.as.management.blocking.timeout=6000"
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start-dev"]
This is for staging:
FROM quay.io/keycloak/keycloak:21.0.0 as builder
ENV KC_DB=mysql
ADD ./themes/tediro /opt/keycloak/themes/tediro
RUN /opt/keycloak/bin/kc.sh build
FROM quay.io/keycloak/keycloak:21.0.0
COPY --from=builder /opt/keycloak/ /opt/keycloak/
ENV KC_HOSTNAME_STRICT=false
ENV KC_HOSTNAME_STRICT_HTTPS=true
ENV KC_HTTP_ENABLED=false
ENV KC_HOSTNAME=auth.s-tms.tediro.com
ENV KC_LOGLEVEL=ALL
ENV KC_DB=mysql
ENV KC_DB_URL=jdbc:mysql://mysql:3306/keycloak
ENV KC_DB_USERNAME=keycloak
ENV KC_DB_PASSWORD=xxx
ENV KC_ADMIN=admin
ENV KC_ADMIN_PASSWORD=xxx
ENV KC_FEATURES=admin-fine-grained-authz
ENV KC_CACHE=local
ENV KC_PROXY=edge
ENV PROXY_ADDRESS_FORWARDING=true
ENV JDBC_PARAMS="useSSL=true&allowPublicKeyRetrieval=true&connectTimeout=50000"
ENV JAVA_TOOLS_OPTIONS="-Djboss.as.management.blocking.timeout=30000"
ENV JAVA_OPTIONS="-Djboss.as.management.blocking.timeout=6000"
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]
While staging is working fine, we are experiencing problems on develop.
In application code we use keycloak-js and call keycloak.login() to open keycloak hosted login page. This page sets 2 cookies: AUTH_SESSION_ID_LEGACY and KC_RESTART . On clicking the login button these cookies are supposed to get send (thats at least happening on staging) but they are not getting sent on develop. This leads to a Cookie not found. Please make sure cookies are enabled in your browser. error.
Problem is unrelated to browser settings since its happening everywhere and for everyone. Cookies Secure / SameSite options seem correct.
What could be a reason for keycloak to not send the cookies?
Tried to play around with all the options in the keycloak dockerfile.