Backup & Restore Keycloak Easy Way

Finding solution this morning and figure out this can be pretty handy.

  1. Run command below:
    ./bin/standalone.sh \
    -Dkeycloak.migration.action=export \
    -Dkeycloak.migration.provider=singleFile \
    -Dkeycloak.migration.file=keycloak-backup.json
    

    In my case, i override few parameter as my keycloak is running.

    ./bin/standalone.sh -P ./standalone/configuration/standalone.properties \
    -Djboss.http.port=8090 \
    -Djboss.https.port=8098 \
    -Djboss.management.http.port=8990 \
    -Djboss.management.https.port=8993 \
    -Dkeycloak.migration.action=export \
    -Dkeycloak.migration.provider=singleFile \
    -Dkeycloak.migration.file=keycloak-backup.json

     

  2. Once you get the backup file, you can selectively import from your admin console.

source from: https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import

 

Deploy Keycloak With Custom Context Path in Kubernetes With Ingress

New to this and spend a day to figured out, perhaps this will help some of you.

1. Prepare your k8s template yaml.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /<CUSTOM_CONTEXT_PATH>/auth/
  name: keycloak-ingress
spec:
  rules:
  - host: myhost.com
    http:
      paths:
      - path: /<CUSTOM_CONTEXT_PATH>/auth/
        backend:
          serviceName: keycloak-service
          servicePort: 9000
  tls:
  - hosts:
    - myhost.com
    secretName: keycl-secret

2. Update web-context in <KEYCLOAK_HOME>/standalone/configuration/standalone.xml, standalone-ha.xml, or domain.xml depending on your operating mode.

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
    ...
    <web-context><CUSTOM_CONTEXT_PATH>/auth/</web-context>
       <providers>
         <provider>classpath:${jboss.home.dir}/providers/*</provider>
       </providers>
    ...
</subsystem

3. Add proxy-address-forwarding under http-listerner in <KEYCLOAK_HOME>/standalone/configuration/standalone.xml, standalone-ha.xml, or domain.xml depending on your operating mode.

<subsystem xmlns="urn:jboss:domain:undertow:6.0">
    ...
    <http-listener name="default" socket-binding="http"
        proxy-address-forwarding="true"/>
    ...
</subsystem>

4. Update index.html in <KEYCLOAK_HOME>welcome-content/index.html

<head>
    <meta http-equiv="refresh" content="0; url=/<CUSTOM_CONTEXT_PATH>/auth/" />
    <meta name="robots" content="noindex, nofollow">
    <script type="text/javascript">
        window.location.href = "/<CUSTOM_CONTEXT_PATH>/auth/"
    </script>
</head>
<body>
    If you are not redirected automatically, follow this <a href='<CUSTOM_CONTEXT_PATH>/auth'>link</a>.
</body>
</html>

source: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy

 

Keycloak Invalid parameter: redirect_uri

In case you also facing the same issue, may try 2 approaches as below:

1. If you are using Ingress in Kubernetes, you may need to add proxy-address-forwarding as below in standalone.xml, standalone-ha.xml, or domain.xml depending on your operating mode.

2. Set ‘*” for Valid Redirect URL (this is temporary hack, still figuring out why)

Credit to
https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
https://stackoverflow.com/questions/45352880/keycloak-invalid-parameter-redirect-uri?rq=1