[keycloak-dev] Keycloak URL and backchannel requests

Sebastian Laskawiec slaskawi at redhat.com
Mon Jul 30 07:28:02 EDT 2018 

On Mon, Jul 30, 2018 at 1:05 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Keycloak needs to know its public URL for a number of reasons. For example
> in the OIDC well-known endpoint, issuer in tokens and emails sent to users.
>
> At the moment we retrieve this from the request headers and have documented
> how to block requests with invalid URLs (
> https://www.keycloak.org/docs/latest/server_admin/index.html#host). The
> latter is important in production installations.
>
> There's two problems with the current approach:
>
> 1) Clients in the same subnet can't use internal IP to communicate with
> Keycloak
> 2) Configuring the valid URLs is an important step to secure a production
> installation, but the current approach is probably not well known and is
> rather messy to configure


> I propose we introduce an BaseURL SPI to allow a flexible way to determine
> the base URL. We would add two implementations OOTB:
>
> 1) Request - this would be set as the default-provider and would determine
> the base url from request headers as we do today
> 2) Fixed - this would allow setting a hardcoded public URL
>

How about adding a third option - "None". This would mean the Keycloak
operates without a fixed public IP (the implementation could probably call
back into "localhost:8080/auth" using a "Fixed" implementation). However,
with "None" we would be explicitly saying that there's no public IP and all
requests need to be local (e.g. from the same machine or Pod (sidecar
approach)).


>
> In standalone.xml it would look like this:
>
> <spi name="baseURL">
>     <default-provider>request</default-provider>
>     <provider name="fixed">
>        <properties>
>          <property name="baseURL" value="localhost:8080/auth"/>
>        </properties>
>    </provider>
> </spi>
>
> For production the default-provider should be changed to fixed and the
> baseURL value should be changed. This can be handled either through manual
> editing standalone.xml or with jboss-cli.
>

How about using the "None" as the default here?


>
> Once this is incorporated it will make it easy to add support for
> backchannel URL back to the adapters to allow adapters to use internal IP
> address when communicating with Keycloak.
>
> Implementation shouldn't be hard. It's mainly about making sure that
> UriInfo is retrieved from KeycloakSession#KeycloakContext and not injected
> directly.
>
> If anyone has more complex requirements for determining the public URL they
> can implement their own provider to handle it.
>
> One thing I'm not sure about is if it's common to use different URLs for
> different realms. If that's the case we may consider adding some support
> for mapping different realms to different baseURLs. I don't think this is
> common though.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list