Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Loading the Admin Console fails when using --hostname which is different then --hostname-admin #42264

New issue
New issue
Open
bug
Open
Loading the Admin Console fails when using --hostname which is different then --hostname-admin#42264
bug
Labels
area/admin/uihelp wantedkind/bugCategorizes a PR related to a bugpriority/lowstatus/auto-bumpstatus/auto-expireteam/core-shared
@slaskawi

Description

@slaskawi
slaskawi
opened on Sep 1, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

account/ui

Describe the bug

We're in the process of hardening Keycloak instance for the UDS platform, where we'd like to lock down the hostnames used in the Well Known OIDC configuration.

Our installation separates the UDS and Master realms via Tenant and Admin Gateways. In practice this means that all the users should use https://sso.uds.dev and the admin is typically served at https://keycloak.admin.uds.dev

What's important here, note that sso.uds.dev and keycloak.admin.uds.dev are separate origins in the CSP sense.

When using --hostname=https://sso.uds.dev, --hostname-admin=https://keycloak.admin.uds.dev, the Admin Console doesn't load up and gets stack on "Loading the Admin Console". The Javascript debug shows the following error:

Refused to frame 'https://sso.uds.dev/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Just to confirm it's a matter of the frame-ancestors 'self', I removed it from the Security Defenses but this ended up with another error:

Refused to frame 'https://sso.uds.dev/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Version

nightly

Regression

  • The issue is a regression

Expected behavior

It should be possible to separate tenant and admin hostnames with both --hostname and --hostname-admin flags.

Actual behavior

The Admin Console can't load. Although it's worth calling out I can't get an Access Token via Resource Owner Password Credentials grant. So it's only a matter of UI.

How to Reproduce?

I have a stable reproducer in the UDS Platform. Here's how to do it:

  1. [5 mins] Follow UDS Platform pre-requisites: https://uds.defenseunicorns.com/getting-started/basic-requirements/
  2. [5mins] Follow steps 1 and 2 from the Installation guide: https://uds.defenseunicorns.com/getting-started/install-and-deploy-uds/
  3. Once UDS is installed (usually takes up to 10 mins), modify the Keycloak StatefulSet (using k9s for example) and add the following parameters to Keycloak bootstrap params:
        - --hostname=https://sso.uds.dev
        - --hostname-admin=https://keycloak.admin.uds.dev
  1. Once Keycloak Pods are restarted, navigate to https://keycloak.admin.uds.dev and observe the failure.

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/admin/uihelp wantedkind/bugCategorizes a PR related to a bugpriority/lowstatus/auto-bumpstatus/auto-expireteam/core-shared

    Type

    bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions