[keycloak-dev] combine proxy and keycloak server

Pedro Igor Silva psilva at redhat.com
Mon Aug 15 10:04:22 EDT 2016 

Don't you think that all that is pretty much related with turning Keycloak as a Web Application Firewall (WAF) ? Now that we also have authz services in, we can do a lot of things at this regard. 

----- Original Message -----
From: "Bill Burke" <bburke at redhat.com>
To: stian at redhat.com, "Thomas Darimont" <thomas.darimont at googlemail.com>
Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
Sent: Monday, August 15, 2016 10:38:00 AM
Subject: Re: [keycloak-dev] combine proxy and keycloak server



You should rethink your position, IMO. Its actually a huge benefit in both usability and performance. 

Usability in that you don't have to configure and run a completely different program/process that is configured completely different than Keycloak. You can configure and manage all clients in one place. Performance is that you get rid of all the redirects that happen with SAML and OIDC. FOr your performance concern, you would just assign only a set of specific nodes that would be your proxy. So, if you had a keycloak cluster of 4 nodes, 2 nodes could be designated solely as proxy nodes, the other 2 for normal SSO. 

On 8/15/16 7:44 AM, Stian Thorgersen wrote: 



I'm not convinced about this. A lot of complexity for what seems like little benefit. The improvement of not having to do OIDC would probably end up being outweighed by all requests going through Keycloak rather than a separate proxy. 

On 9 August 2016 at 11:06, Thomas Darimont < thomas.darimont at googlemail.com > wrote: 



FYI, I sent some questions to the undertow dev-mailing list regarding dynamic vhost configuration: 
http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html 

Cheers, 
Thomas 

2016-08-05 21:26 GMT+02:00 Bill Burke < bburke at redhat.com > : 





Yeah, on the Client creation page, instead of oidc or saml, you can pick "proxied". You would specify the URL pattern of incoming requests and the URL pattern to forward HTTP requests and bam, it just works. Set up some virtual host table on demand with Undertow. 

On 8/5/16 11:36 AM, Thomas Darimont wrote: 



Sounds interesting... 

could you provide a bit more detail about what you have in mind? 

Cheers, 
Thomas 

2016-08-05 16:38 GMT+02:00 Bill Burke < bburke at redhat.com > : 


Bump. 

I'm going to keep bumping this occasionally to see if somebody in the 
community wants to take this on. 


On 8/4/16 8:30 PM, Bill Burke wrote: 
> I think we should combine Keycloak Proxy with the keycloak server. When 
> creating a client, you would have an option to declare it as a proxied 
> client. This is way better than what we currently have as we woudln't 
> have to do SAML or OIDC so it would be more performant and it would 
> require no additional setup. 
> 
> _______________________________________________ 
> keycloak-dev mailing list 
> keycloak-dev at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-dev 

_______________________________________________ 
keycloak-dev mailing list 
keycloak-dev at lists.jboss.org 
https://lists.jboss.org/mailman/listinfo/keycloak-dev 




_______________________________________________ 
keycloak-dev mailing list 
keycloak-dev at lists.jboss.org 
https://lists.jboss.org/mailman/listinfo/keycloak-dev 



_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list