[keycloak-dev] Flexible HTTP Proxy support for HttpClientProvider

Stian Thorgersen sthorger at redhat.com
Mon Oct 16 08:07:05 EDT 2017 

By the way "preview" features need testing as well.

On 16 October 2017 at 14:05, Stian Thorgersen <sthorger at redhat.com> wrote:

> I'm afraid we need contributions to come with full automated testing as
> well as documentation as we don't have the capacity to add this on behalf
> of the community. Obviously if adding HTTP proxy support became a priority
> to us we would consider doing it, but at the moment we have many other
> higher priority things to work on.
>
> On 16 October 2017 at 14:00, Thomas Darimont <thomas.darimont at googlemail.
> com> wrote:
>
>> Hello,
>>
>> I agree that one needs to be able to test this automatically... but this
>> needs some additional thought.
>> For now how about rolling out the proxy support behind a feature flag and
>> ask the community for feedback?
>>
>> I tested this for google APIs but I'd assume that since the proxy is
>> transparently applied in case the target hostname
>> of a request matches the configured proxy pattern it will work just fine.
>>
>> Btw. I just gave this a try with the registration recaptcha and it worked
>> fine.
>>
>> I had to adjust the default Content-Security-Policy sent by Keycloak
>> though:
>> from:
>>   frame-src self; frame-ancestors 'self'; object-src 'none';
>> to:
>>   frame-src self https://www.google.com/recaptcha/; frame-ancestors
>> 'self'; object-src 'none';
>>
>> One thing that are currently missing in the proxy-support is support for
>> proxy authentication,
>> but this could be added later.
>>
>> Cheers,
>> Thomas
>>
>> 2017-10-16 12:55 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>
>>> We'd need some way of automatically testing HTTP proxy support, which is
>>> non-trivial. The steps you've listed only manually checks Google, but what
>>> about everything else that may need to go through the HTTP proxy? Captcha,
>>> other IdPs, external clients, etc..
>>>
>>> On 11 October 2017 at 14:26, Thomas Darimont <
>>> thomas.darimont at googlemail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I've sent a PR [1] for KEYCLOAK-4743 [2] Add proxy support to
>>>> HttpClientProvider SPI.
>>>> The proposed implementation is based on the discussions from an older
>>>> (rejected) PR [3]
>>>>
>>>> The current DefaultHttpClientProviderFactory doesn't support HTTP
>>>> proxies
>>>> which makes
>>>> it very difficult to integrate social Identity Providers like google /
>>>> facebook etc...
>>>> when you are required to tunnel all external communications though a
>>>> proxy
>>>> server.
>>>>
>>>> Server Developers are currently required to either convince their
>>>> network
>>>> admins to
>>>> loosen the proxy rules ... or provide a custom implementation of a
>>>> HttpClientProvider,
>>>> which is quite complex. Therefore it would be great if keycloak would
>>>> add
>>>> support
>>>> for this out of the box.
>>>>
>>>> Since keycloak needs to be able to selectively use a (dedicated) proxy
>>>> server
>>>> for external and potentially no proxy for internal connections the
>>>> configuration
>>>> for that needs to be quite flexible.
>>>>
>>>> The current PR proposes to use an ordered list of proxymappings that
>>>> match
>>>> a http request host based on a regex pattern to a proxy uri which are
>>>> processed
>>>> by a new ProxyMappingsAwareRoutePlanner that is added to the internal
>>>> HttpClient.
>>>>
>>>> A ProxyMapping has the form hostname-pattern;proxy-uri e.g.:
>>>>
>>>>       .*\.(google|googleapis)\.com;http://www-proxy.acme.corp.com:8080
>>>>       .*\.acme\.corp\.com;NO_PROXY
>>>>       .*;http://fallback:8080
>>>>
>>>> (the catch all is optional)
>>>> The first matching mapping defines the proxy to use. If no pattern
>>>> matches
>>>> then no proxy is used. One can also explicity define that certain
>>>> connections should
>>>> not use a proxy.
>>>>
>>>> ... and can be configured via jboss-cli
>>>>
>>>>   echo SETUP: Configure proxy routes for HttpClient SPI
>>>>
>>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>>> r=default:add(enabled=true)
>>>>
>>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>>> r=default:write-attribute(name=properties.proxy-mappings,val
>>>> ue=[".*\\.(google|googleapis)\\.com;
>>>> http://www-proxy.acme.corp.com:8080",".*\\.acme\\.corp\\.com
>>>> ;NO_PROXY",".*;
>>>> http://fallback:8080"])
>>>>
>>>> This can be tested as follows:
>>>> 1) Apply the PR in branch, build a server distribution.
>>>> 2) Start Keycloak with portOffset 10000 for http/https/ajp port.
>>>> Configure the ProxyMappings in standalone.xml:
>>>> via jboss-cli:
>>>>   echo SETUP: Configure proxy routes for HttpClient SPI
>>>>
>>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>>> r=default:add(enabled=true)
>>>>
>>>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>>>> r=default:write-attribute(name=properties.proxy-mappings,val
>>>> ue=[".*\\.(google|googleapis)\\.com;
>>>> http://localhost:8080"])
>>>>
>>>> 3) Download and start BurpSuite [4]
>>>> 4) By default burpsuite starts a proxy server on port 8080
>>>> 5) Register google as auth provider and check entries in burp proxy log
>>>>    (Note that you potentially need to explicitly forward the request in
>>>> the
>>>> proxy tab in Burp)
>>>>
>>>> WDYT?
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> [1] https://github.com/keycloak/keycloak/pull/4543
>>>> [2] https://issues.jboss.org/browse/KEYCLOAK-4743
>>>> [3] https://github.com/keycloak/keycloak/pull/4040
>>>> [4] https://portswigger.net/burp/help/suite_gettingstarted.html
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>
>

More information about the keycloak-dev mailing list