fix: adding docs around client redirect uris and hostname-strict (#32101)

* fix: adding docs around admin client redirect uris and hostname-strict closes: #31640 Signed-off-by: Steve Hawkins <shawkins@redhat.com> * Update docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Signed-off-by: Steven Hawkins <shawkins@redhat.com> * Update docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Signed-off-by: Steven Hawkins <shawkins@redhat.com> --------- Signed-off-by: Steve Hawkins <shawkins@redhat.com> Signed-off-by: Steven Hawkins <shawkins@redhat.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
2024-08-21 10:19:30 -04:00 · 2024-08-21 10:19:30 -04:00 · 087647dab3
commit 087647dab3
parent d9a92f5de3
2 changed files with 11 additions and 3 deletions
--- a/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc
@ -80,6 +80,12 @@ In order to dynamically resolve it from request headers, you need to set the `ho

 For more details and more comprehensive scenarios, see https://www.keycloak.org/server/hostname[Configuring the hostname (v2)].

+== `security-admin-console` Client Redirect URIs
+
+The handling of the `${authAdminUrl}` has changed in hostname v1. Previously with hostname v1 the admin URL was resolved dynamically from the request if the `hostname-admin` or `hostname-admin-url` options were not set. With hostname v2 the admin URL will default instead to the frontend URL. 
+If the `hostname` option is set and `hostname-strict` is true, this change will prevent redirect URIs with alternative hostnames from working for Clients using the Root URL `${authAdminUrl}`. 
+You should consider using the `hostname-admin` option instead of the redirect URIs to allow a single alternative hostname. Alternative hostname redirects should be removed as the `security-admin-console` Client only needs the default redirect URI of `/admin/master/console/*` with Root URL of `${authAdminUrl}`.
+
 = Persistent user sessions

 Previous versions of {project_name} stored only offline user and offline client sessions in the databases.
--- a/docs/guides/server/hostname.adoc
+++ b/docs/guides/server/hostname.adoc
@ -46,15 +46,17 @@ As you can observe, the HTTPS protocol is the default choice, adhering to {proje

 The result of this configuration is that you can continue to access {project_name} at `https://my.keycloak.org` via HTTPS, while the proxy interacts with the instance using HTTP and port `8080`.

-== Relying on a trusted proxy for the dynamic hostname resolution
+== Relying on a trusted proxy for dynamic URL resolution

-If you fully trust your proxy, which correctly sets the Forwarded header, and you don't want to hardcode the hostname, {project_name} can accommodate this. You simply need to initiate the server as follows:
+If you fully trust your proxy, the `proxy-headers` option is used to dynamically resolve the URL.
+
+For example if your reverse proxy correctly sets the Forwarded header, and you don't want to hardcode the hostname, {project_name} can accommodate this. You simply need to initiate the server as follows:

 <@kc.start parameters="--hostname-strict false --proxy-headers forwarded"/>

 With this configuration, the server respects the value set by the Forwarded header. This also implies that all endpoints are dynamically resolved.

-The `proxy-headers` option can be also used to resolve the URL partially dynamically when `hostname` option is not specified as a full URL. For example:
+The `proxy-headers` option can be also used to resolve the URL partially dynamically when the `hostname` option is not specified as a full URL. For example:

 <@kc.start parameters="--hostname my.keycloak.org --proxy-headers xforwarded"/>