[keycloak-dev] combine proxy and keycloak server
Bill Burke
bburke at redhat.com
Mon Aug 15 09:38:00 EDT 2016
You should rethink your position, IMO. Its actually a huge benefit in
both usability and performance.
Usability in that you don't have to configure and run a completely
different program/process that is configured completely different than
Keycloak. You can configure and manage all clients in one place.
Performance is that you get rid of all the redirects that happen with
SAML and OIDC. FOr your performance concern, you would just assign only
a set of specific nodes that would be your proxy. So, if you had a
keycloak cluster of 4 nodes, 2 nodes could be designated solely as proxy
nodes, the other 2 for normal SSO.
On 8/15/16 7:44 AM, Stian Thorgersen wrote:
> I'm not convinced about this. A lot of complexity for what seems like
> little benefit. The improvement of not having to do OIDC would
> probably end up being outweighed by all requests going through
> Keycloak rather than a separate proxy.
>
> On 9 August 2016 at 11:06, Thomas Darimont
> <thomas.darimont at googlemail.com
> <mailto:thomas.darimont at googlemail.com>> wrote:
>
> FYI, I sent some questions to the undertow dev-mailing list
> regarding dynamic vhost configuration:
> http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
> <http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html>
>
> Cheers,
> Thomas
>
> 2016-08-05 21:26 GMT+02:00 Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>>:
>
> Yeah, on the Client creation page, instead of oidc or saml,
> you can pick "proxied". You would specify the URL pattern of
> incoming requests and the URL pattern to forward HTTP requests
> and bam, it just works. Set up some virtual host table on
> demand with Undertow.
>
>
> On 8/5/16 11:36 AM, Thomas Darimont wrote:
>> Sounds interesting...
>>
>> could you provide a bit more detail about what you have in mind?
>>
>> Cheers,
>> Thomas
>>
>> 2016-08-05 16:38 GMT+02:00 Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>>:
>>
>> Bump.
>>
>> I'm going to keep bumping this occasionally to see if
>> somebody in the
>> community wants to take this on.
>>
>>
>> On 8/4/16 8:30 PM, Bill Burke wrote:
>> > I think we should combine Keycloak Proxy with the
>> keycloak server. When
>> > creating a client, you would have an option to declare
>> it as a proxied
>> > client. This is way better than what we currently have
>> as we woudln't
>> > have to do SAML or OIDC so it would be more performant
>> and it would
>> > require no additional setup.
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160815/c07b7c38/attachment.html
More information about the keycloak-dev
mailing list