Restricting access to the Keycloak Admin Console

According to Keycloak docs, each realm has a dedicated Admin Console that can be accessed by going to the URL /auth/admin/{realm-name}/console.

I think you could block this URL for external access, keeping attention for others URIs that may be used for Keycloak REST API and for the external modules that external apps could download also (like javascript module). The same approach could also be applied for JBoss EAP console admin at default port 9990.

JBoss EAP have additional features that could be used for blocking specific IP range or restrict access only to the local server.

You can also apply a specific undertow filter to block external access. See example below:

<subsystem xmlns="urn:jboss:domain:undertow:4.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <filter-ref name="proxy-peer" />
                    <filter-ref name="restrict-admin-console-access" />
                    <access-log pattern="%h %l %u [%t] &quot;%r&quot; %s %b &quot;%{i,Referer}&quot; &quot;%{i,User-Agent}&quot;" />
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                    <filter name="request-dumper" class-name="io.undertow.server.handlers.RequestDumpingHandler" module="io.undertow.core" />
                    <request-limit name="limit-connections" queue-size="100" max-concurrent-requests="1200" />
                    <filter name="proxy-peer" module="io.undertow.core" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" />
                    <expression-filter module="io.undertow.core" name="restrict-admin-console-access" expression="path-prefix(/auth/admin/master/console/) -&gt; ip-access-control(default-allow=false, acl={'127.0.0.1 allow'})" />
            </filters>
        </subsystem>

Reference: https://access.redhat.com/solutions/18412

Related videos on Youtube

07 : 08

Keycloak REST API with Postman

hexaDefence

22

26 : 38

Keycloak Admin Rest API in Spring Boot

czetsuyatech

15

25 : 03

Keycloak intro part 2 - Resources, Permissions, Scope and Policies

Arthur D. Mugume

10

03 : 11

Keycloak Tutorial #03 - Admin Console

hexaDefence

6

05 : 05

Keycloak NodeJS Admin Client

hexaDefence

4

15 : 28

KEYCLOAK - Implementing Custom REST Resources (endpoints) | Niko Köbler (@dasniko)

Niko Köbler (@dasniko)

1

12 : 09

Keycloak - Creating Users - Administration REST API

Arthur D. Mugume

1

10 : 51

How-to enable API Conditional Access with Nginx Controller and Keycloak

Matthieu Dierick, F5

1

12 : 39

4 Ways of Managing Users in Keycloak and Keycloak.X #Keycloak #KeycloakX #KeycloakUserManagement

Tekgainers

1

Author by

K. Hudson

Updated on June 04, 2022