diff --git a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc index 6abf8cfc86..d10c09e34e 100644 --- a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc @@ -80,6 +80,12 @@ In order to dynamically resolve it from request headers, you need to set the `ho For more details and more comprehensive scenarios, see https://www.keycloak.org/server/hostname[Configuring the hostname (v2)]. +== `security-admin-console` Client Redirect URIs + +The handling of the `${authAdminUrl}` has changed in hostname v1. Previously with hostname v1 the admin URL was resolved dynamically from the request if the `hostname-admin` or `hostname-admin-url` options were not set. With hostname v2 the admin URL will default instead to the frontend URL. +If the `hostname` option is set and `hostname-strict` is true, this change will prevent redirect URIs with alternative hostnames from working for Clients using the Root URL `${authAdminUrl}`. +You should consider using the `hostname-admin` option instead of the redirect URIs to allow a single alternative hostname. Alternative hostname redirects should be removed as the `security-admin-console` Client only needs the default redirect URI of `/admin/master/console/*` with Root URL of `${authAdminUrl}`. + = Persistent user sessions Previous versions of {project_name} stored only offline user and offline client sessions in the databases. diff --git a/docs/guides/server/hostname.adoc b/docs/guides/server/hostname.adoc index 23a25249ac..2daeb3b40d 100644 --- a/docs/guides/server/hostname.adoc +++ b/docs/guides/server/hostname.adoc @@ -46,15 +46,17 @@ As you can observe, the HTTPS protocol is the default choice, adhering to {proje The result of this configuration is that you can continue to access {project_name} at `https://my.keycloak.org` via HTTPS, while the proxy interacts with the instance using HTTP and port `8080`. -== Relying on a trusted proxy for the dynamic hostname resolution +== Relying on a trusted proxy for dynamic URL resolution -If you fully trust your proxy, which correctly sets the Forwarded header, and you don't want to hardcode the hostname, {project_name} can accommodate this. You simply need to initiate the server as follows: +If you fully trust your proxy, the `proxy-headers` option is used to dynamically resolve the URL. + +For example if your reverse proxy correctly sets the Forwarded header, and you don't want to hardcode the hostname, {project_name} can accommodate this. You simply need to initiate the server as follows: <@kc.start parameters="--hostname-strict false --proxy-headers forwarded"/> With this configuration, the server respects the value set by the Forwarded header. This also implies that all endpoints are dynamically resolved. -The `proxy-headers` option can be also used to resolve the URL partially dynamically when `hostname` option is not specified as a full URL. For example: +The `proxy-headers` option can be also used to resolve the URL partially dynamically when the `hostname` option is not specified as a full URL. For example: <@kc.start parameters="--hostname my.keycloak.org --proxy-headers xforwarded"/>