Authentication directing to keycloak administration console, not user auth

Hi All,

I am setting up another OOD instance using keycloak 12.0.4. Previously, Keycloak was listening on 8443 and that would then lead to the Admin console for Keycloak. Then normal 443 traffic would go to keycloaks user login page. Now that keycloak is listening on 443 normally, when going to the root of the website it forwards to xxx/auth which is the Admin console and does not forward to the user login page.

Is the port listening change unrelated? Been through the configs a millions times, pretty sure I have them correct…

This is the 4th time I have setup keycloak but I am stumped here. I know this is a bit vague but anyone have any ideas?


This was due to a misreading of the documentation. Documentation states 2 different servers with unique dns, one for ood server and one for idp. Was confusing with old method which ran OOD and Keycloak on same fqdn and just ran keycloak off of port 8443 and then redirected to ood at 443.


Any recommendations on how we might change the documentation to avoid a problem like this in the future? Perhaps a big yellow warning bubble somewhere in the documentation?

Hi Efranz,

Not sure if new users will run into this as the beginning is pretty clear that the assumption of keycloak answering on domain and OOD being on domain. I was blowing through this deployment like I did for v1.6 (previously most recent version I have deployed) and didn’t notice that change. I take the onus on this one for being lazy and not reading the change logs (good thing I don’t run arch).

While I agree the proper way to deploy keycloak with OOD is to have 2 hosts or at least separate domains, you may want add in a section about how to do it the old way with keycloak on 8443 and ood on 443 on the same host. FWIW, I am still deploying this way as I have yet to spin up a central keycloak that can authenticate to multiple ood’s.

Unrelated to this but there in the upcoming keycloak 13.x.x release there is going to be a method for making an authentication flow that does read-only ldap but will not make a local keycloak user if the user does not exist in ldap. The work around in the old days was to just make a user in keycloak which would then fail when sent back to OOD but this would sometimes result in users having clashes in keycloak if they tried signing in with OOD before I made their account and would require me to go and manually remove the auto created one in keycloak after making their cluster account so they could then log into OOD successfully. I can write up a post if you think others might need this. God knows I have banged my head on keycloak enough at this point…