both HOST and KEYCLOAK_HOST are setup for the local domain of the server running docker.
The issue I see is if I navigate to http://xxx.xxx.lan:8070/ (Web Modeler webapp), then it does forward to Identity and tries to log ‘demo’ user in, but the redirect_uri is for some reason wrongly ‘redirect_uri=http://localhost:8070/login-callback’, namely this:
The docker-compose.yaml file does include the environment variable KEYCLOAK_INIT_WEBMODELER_ROOT_URL: http://${HOST}:8070 by default.
I do see in Identity the application of Web Modeler configured with Redirect URIs http://xxx.xxx.lan:8070/login-callback
I would suspect that the web-modeler-webapp service is the culprit… In the YAML file is hardcoding the ‘SERVER_URL’ to ‘http://localhost:8070’, instead of SERVER_URL to http://${HOST}:8070.
Would you be able to confirm?
If this is the problem, would it be possible to dynamically set the web-modeler-webapp’s SERVER_URL environment variable?
You’ve correctly identified the issue! This is indeed a known limitation with the official Camunda 8.7 Docker Compose distribution.
The Problem
You’re absolutely right that the web-modeler-webapp service has the SERVER_URL hardcoded to http://localhost:8070 instead of using the ${HOST} variable. This causes authentication redirect URIs to use localhost even when you’ve configured your HOST and KEYCLOAK_HOST variables to use your custom domain (xxx.xxx.lan).
The Solution
To fix this, you need to manually modify the docker-compose.yaml file to use the HOST variable for the SERVER_URL environment variable in the web-modeler-webapp service.
Find the web-modeler-webapp service in your docker-compose.yaml and change:
environment:
SERVER_URL: "http://localhost:8070"
To:
environment:
SERVER_URL: "http://${HOST}:8070"
Why This Happens
The official Docker Compose distribution is designed primarily for local development with localhost, and there’s no built-in mechanism for dynamic HOST variable substitution in the SERVER_URL configuration. This is a known limitation mentioned in the community discussions.
Important Notes
The SERVER_URL must exactly match the redirect URI registered in your Keycloak client
Since you already have KEYCLOAK_INIT_WEBMODELER_ROOT_URL: http://${HOST}:8070 configured, your Keycloak should already have the correct redirect URI (http://xxx.xxx.lan:8070/login-callback)
After making this change, restart your Docker Compose stack
I think the ‘Why This Happens’ is not true. There is a built-in mechanism for dynamic HOST variable via env file, it is just not working out of the box. ALL environment variables/config in the yaml file would need to be set dynamically, where it NEEDS to be set to the HOST and stay localhost or docker container name.
I think the ‘known limitation’ is an overstatement too, especially if there is no link provided, which proves that it is in the docs…
