Keycloak Docker HTTPS required

docker https keycloak

Update Feb 2022:

Keycloak 17+ (e.g. quay.io/keycloak/keycloak:17.0.0) doesn't support autogeneration of selfsigned cert. Minimal HTTPS working example for Keycloak 17+:

1.) Generate selfsigned domain cert/key (follow instructions on your terminal):

openssl req -newkey rsa:2048 -nodes \
  -keyout server.key.pem -x509 -days 3650 -out server.crt.pem

2.) Update permissions for the key

chmod 755 server.key.pem

3.) Start Keycloak (use volumes for cert/key):

docker run \
  --name keycloak \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=password \
  -e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt.pem \
  -e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key.pem \
  -v $PWD/server.crt.pem:/opt/keycloak/conf/server.crt.pem \
  -v $PWD/server.key.pem:/opt/keycloak/conf/server.key.pem \
  -p 8443:8443 \
  quay.io/keycloak/keycloak:17.0.0 \
  start-dev

Keycloak will be exposed on port 8443 with HTTPS protocol with this setup. If you use also proxy (e.g. nginx) you will need to configure also env variable KC_PROXY properly (e.g. KC_PROXY=edge). Of course you can use also keycloak.conf file instead of env variables.

Old answer for Keycloak up to 16.1.1 and Keycloak legacy 17+:

Publish port 8443 (HTTPS) and use it instead of 8080 (HTTP):

docker run \
  --name keycloak \
  -e KEYCLOAK_USER=myadmin \
  -e KEYCLOAK_PASSWORD=mypassword \
  -p 8443:8443 \
  jboss/keycloak

Keycloak generates self signed cert for https in this setup. Of course, this is not a production setup.

Update

Use volumes for own TLS certificate:

  -v /<path>/tls.crt:/etc/x509/https/tls.crt \
  -v /<path>/tls.key:/etc/x509/https/tls.key \

This was a solution that also granted access to the admin console with no security when using https://hub.docker.com/r/jboss/keycloak/ as a starting point and DigitalOcean as service provider:

Start container:

$ docker run {containerName}

Open bash for container:

$ docker exec -it {containerName} bash

Move to:

$ cd keycloak/bin

create new admin user with:

$ ./add-user-keycloak.sh --server http://{IP}:8080/admin    
--realm master --user admin --password newpassword

(not add-user.sh as suggested in many places)

Restart droplet in DigitalOcean etc. to activated admin user created prior to the shutdown. After restarting the droplet login with:

$ ./kcadm.sh config credentials --server http://localhost:8080/auth 
--realm master --user admin

Changing ssl settings on the realm: 

$ ./kcadm.sh update realms/master -s sslRequired=NONE

This solution does not create any security but allows you to access the Admin console.

After this it is suggested to start workin on this: https://www.keycloak.org/docs/latest/server_installation/index.html#setting-up-https-ssl

Related

Change table columns order
Why am I getting an error converting a ‘float**’ to ‘const float**’?
How to implement one "catch'em all" exception handler with resume?
SQL Comments on Create Table on SQL Server 2008
Performance of using static methods vs instantiating the class containing the methods
CSS text justify with letter spacing
Error: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out."
Retrieve data from stored procedure which has multiple result sets
How to Set Focus on JTextField?
How do I get the HTML source from the page?
NSInvalidArgumentException - receiver has no segue with identifier
Iterate two Java-8-Streams together [duplicate]