<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 8 March 2016 at 09:43, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>+1 to remove it.<br>
<br>
We can always re-add or add something different if people start to
complain <span><span> ;-) </span></span><br>
<br>
I guess that earlier or later, we may still need a possibility to
configure hostname for keycloak server. I think that there were
people with funky deployments having issues even if they don't use
auth-server-url-for-backend-requests. Other possibility instead of
introduce hostname might be to introduce list of valid URLs on
adapter side, which are acceptable as issuers of access token. But
who knows, maybe everyone can somehow fix his deployment and we
won't need anything <span><span> :-) </span></span></div></div></blockquote><div><br></div><div>I don't think we'll need it, nor do I think we need a list of valid URLs on adapter side. It's a slippery slope to do that, both in terms of usability and security. Token should be issued by a specific Keycloak server (and hostname is important here) and a token issued by one Keycloak server with one hostname is not equivalent of a token issued by another server.</div><div><br></div><div>If someone can't configure DNS or hostnames they'll just have to invoke it through the reverse proxy or load balancer. In fact in a cluster you most likely will have to go through the load balancer in either case.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div><br>
<br>
Marek<div><div class="h5"><br>
<br>
On 08/03/16 09:08, Stian Thorgersen wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>Currently we allow adapters to configure two urls for
Keycloak (auth-server-url and
auth-server-url-for-backend-requests). I propose we
remove auth-server-url-for-backend-requests.</div>
<div><br>
</div>
<div>The auth-server-url-for-backend-requests property was added
as a way for adapters to invoke Keycloak directly without
having to go through a load balancer or reverse proxy.</div>
<div><br>
</div>
<div>The issue with auth-server-url-for-backend-requests is that
the Keycloak server will not know the adapter is invoking
Keycloak from a different URL, which results in invalid URLs
in tokens and also if any links are generated (for example
verify email). </div>
<div><br>
</div>
<div>It also means that there's a need to have two separate
certificates configured for Keycloak as there are different
hostnames.</div>
<div><br>
</div>
<div>The currently proposed solution is to add a way to
configure the hostname for the Keycloak server. However, this
is an extra configuration requirement and is also a
significant amount of work to implement as well as potentially
quite error prone. This could further be problematic if there
is indeed two valid URLs for a server (for example <a href="http://company.com" target="_blank"></a><a href="http://company.com" target="_blank">http://company.com</a>
and <a href="http://internal.company.com" target="_blank">http://internal.company.com</a>).</div>
<div><br>
</div>
<div>We should simply remove
auth-server-url-for-backend-requests. If anyone wants to
bypass the load balancer for internal machines that should be
solved at the DNS level or by adding entries to the host file.
As the hostname remains the same there's no need for multiple
certificates, nor is there a need to hardcode the address on
the Keycloak server itself.</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div></div>