[keycloak-dev] Flexible HTTP Proxy support for HttpClientProvider

Stian Thorgersen sthorger at redhat.com
Mon Oct 16 08:05:30 EDT 2017 

I'm afraid we need contributions to come with full automated testing as
well as documentation as we don't have the capacity to add this on behalf
of the community. Obviously if adding HTTP proxy support became a priority
to us we would consider doing it, but at the moment we have many other
higher priority things to work on.

On 16 October 2017 at 14:00, Thomas Darimont <thomas.darimont at googlemail.com
> wrote:

> Hello,
>
> I agree that one needs to be able to test this automatically... but this
> needs some additional thought.
> For now how about rolling out the proxy support behind a feature flag and
> ask the community for feedback?
>
> I tested this for google APIs but I'd assume that since the proxy is
> transparently applied in case the target hostname
> of a request matches the configured proxy pattern it will work just fine.
>
> Btw. I just gave this a try with the registration recaptcha and it worked
> fine.
>
> I had to adjust the default Content-Security-Policy sent by Keycloak
> though:
> from:
>   frame-src self; frame-ancestors 'self'; object-src 'none';
> to:
>   frame-src self https://www.google.com/recaptcha/; frame-ancestors
> 'self'; object-src 'none';
>
> One thing that are currently missing in the proxy-support is support for
> proxy authentication,
> but this could be added later.
>
> Cheers,
> Thomas
>
> 2017-10-16 12:55 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> We'd need some way of automatically testing HTTP proxy support, which is
>> non-trivial. The steps you've listed only manually checks Google, but what
>> about everything else that may need to go through the HTTP proxy? Captcha,
>> other IdPs, external clients, etc..
>>
>> On 11 October 2017 at 14:26, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> Hello,
>>>
>>> I've sent a PR [1] for KEYCLOAK-4743 [2] Add proxy support to
>>> HttpClientProvider SPI.
>>> The proposed implementation is based on the discussions from an older
>>> (rejected) PR [3]
>>>
>>> The current DefaultHttpClientProviderFactory doesn't support HTTP
>>> proxies
>>> which makes
>>> it very difficult to integrate social Identity Providers like google /
>>> facebook etc...
>>> when you are required to tunnel all external communications though a
>>> proxy
>>> server.
>>>
>>> Server Developers are currently required to either convince their network
>>> admins to
>>> loosen the proxy rules ... or provide a custom implementation of a
>>> HttpClientProvider,
>>> which is quite complex. Therefore it would be great if keycloak would add
>>> support
>>> for this out of the box.
>>>
>>> Since keycloak needs to be able to selectively use a (dedicated) proxy
>>> server
>>> for external and potentially no proxy for internal connections the
>>> configuration
>>> for that needs to be quite flexible.
>>>
>>> The current PR proposes to use an ordered list of proxymappings that
>>> match
>>> a http request host based on a regex pattern to a proxy uri which are
>>> processed
>>> by a new ProxyMappingsAwareRoutePlanner that is added to the internal
>>> HttpClient.
>>>
>>> A ProxyMapping has the form hostname-pattern;proxy-uri e.g.:
>>>
>>>       .*\.(google|googleapis)\.com;http://www-proxy.acme.corp.com:8080
>>>       .*\.acme\.corp\.com;NO_PROXY
>>>       .*;http://fallback:8080
>>>
>>> (the catch all is optional)
>>> The first matching mapping defines the proxy to use. If no pattern
>>> matches
>>> then no proxy is used. One can also explicity define that certain
>>> connections should
>>> not use a proxy.
>>>
>>> ... and can be configured via jboss-cli
>>>
>>>   echo SETUP: Configure proxy routes for HttpClient SPI
>>>
>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>> r=default:add(enabled=true)
>>>
>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>> r=default:write-attribute(name=properties.proxy-mappings,
>>> value=[".*\\.(google|googleapis)\\.com;
>>> http://www-proxy.acme.corp.com:8080",".*\\.acme\\.corp\\.com
>>> ;NO_PROXY",".*;
>>> http://fallback:8080"])
>>>
>>> This can be tested as follows:
>>> 1) Apply the PR in branch, build a server distribution.
>>> 2) Start Keycloak with portOffset 10000 for http/https/ajp port.
>>> Configure the ProxyMappings in standalone.xml:
>>> via jboss-cli:
>>>   echo SETUP: Configure proxy routes for HttpClient SPI
>>>
>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>> r=default:add(enabled=true)
>>>
>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>> r=default:write-attribute(name=properties.proxy-mappings,
>>> value=[".*\\.(google|googleapis)\\.com;
>>> http://localhost:8080"])
>>>
>>> 3) Download and start BurpSuite [4]
>>> 4) By default burpsuite starts a proxy server on port 8080
>>> 5) Register google as auth provider and check entries in burp proxy log
>>>    (Note that you potentially need to explicitly forward the request in
>>> the
>>> proxy tab in Burp)
>>>
>>> WDYT?
>>>
>>> Cheers,
>>> Thomas
>>>
>>> [1] https://github.com/keycloak/keycloak/pull/4543
>>> [2] https://issues.jboss.org/browse/KEYCLOAK-4743
>>> [3] https://github.com/keycloak/keycloak/pull/4040
>>> [4] https://portswigger.net/burp/help/suite_gettingstarted.html
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>

More information about the keycloak-dev mailing list