but my line of thought here is why can't I do that by just setting the front-end URL on the master realm?

Because you would need to do that for every realm. Each realm potentially has its own admin console, and I reckon the user wants to restrict the access to all of those, not just the master realm admin console.

So my question - would the proposed solution solve any of these problems?

To work with your example:

--hostname would remain https://sso.uds.dev

The master realm would have its front-end url set to https://keycloak.admin.uds.dev, and hostname-admin would be unset.

https://keycloak.admin.uds.dev for admin consoles

This is where there is a difference.

https://keycloak.admin.uds.dev/admin/master/console should work as you expect.

https://keycloak.admin.uds.dev/admin/other/console however would not be valid. You'd need to use https://sso.uds.dev/admin/other/console

What's not clear to me about why hostname-admin is desirable in this situation:

• You should be add to path and client based restrictions to https://sso.uds.dev/admin - using a different hostname does not seem required.
• You can't set a hostname-admin per realm

Each realm potentially has its own admin console, and I reckon the user wants to restrict the access to all of those, not just the master realm admin console.

They don't really have their own admin console - there's a global hostname admin - the differentiation is path based and you already need to account for restricting access to /admin in the proxy.

They don't really have their own admin console - there's a global hostname admin - the differentiation is path based and you already need to account for restricting access to /admin in the proxy.

Sorry, I was not clear. I meant the case when you'd wanted to expose all admin consoles on a hostname that is different from the front-end. This wouldn't be possible without hostname-admin.

Sorry, I was not clear. I meant the case when you'd wanted to expose all admin consoles on a hostname that is different from the front-end. This wouldn't be possible without hostname-admin.

Agreed, and I'm trying to understand if that is hard requirement and/or why we don't support a hostname-admin per realm. Based upon #14623 and similar requests, I'd say that for both front-end and admin traffic to the proxy we'd want the path containing the realm to be optional.

https://keycloak.admin.uds.dev/admin/other/console however would not be valid. You'd need to use https://sso.uds.dev/admin/other/console

To understand a bit better - in what cases does the server need to enforce a specific admin hostname, or can that be up to the proxy?

Let's say for example that we had a setting like hostname-admin-strict=false which could not be used in conjunction with hostname-strict=false. That should allow in this case for https://keycloak.admin.uds.dev/admin/other/console to be used.

If I wanted to require a specific hostname for a particular realm's admin console could that be done via the security-admin-console client's root url?