<div dir="ltr">You'll end up with another "protocol" to do this, which is additional maintenance and testing and more importantly a new potential vector for vulnerabilities. Not great IMO.<div><br></div><div>What you are describing around having dedicated nodes for the proxy operations just sounds more complex than having completely separate servers completely. For high performance I'd imagine the proxy would end up with having quite different needs for configuration than the Keycloak server as well.</div><div><br></div><div>There's also plenty of options around proxies (Apache, nginx, APIMan, 3scale, etc.). I'm not convinced we should even have our own. Sounds like APIMan might actually survive and end up being supported in some form, so that may still be a better option to us rolling our own proxy/gateway.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 15 August 2016 at 15:38, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>You should rethink your position, IMO. Its actually a huge
benefit in both usability and performance.</p>
<p>Usability in that you don't have to configure and run a
completely different program/process that is configured completely
different than Keycloak. You can configure and manage all clients
in one place. Performance is that you get rid of all the
redirects that happen with SAML and OIDC. FOr your performance
concern, you would just assign only a set of specific nodes that
would be your proxy. So, if you had a keycloak cluster of 4
nodes, 2 nodes could be designated solely as proxy nodes, the
other 2 for normal SSO. <br>
</p><div><div class="h5">
<br>
<div>On 8/15/16 7:44 AM, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I'm not convinced about this. A lot of complexity
for what seems like little benefit. The improvement of not
having to do OIDC would probably end up being outweighed by all
requests going through Keycloak rather than a separate proxy.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 9 August 2016 at 11:06, Thomas
Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.<wbr>com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">FYI, I sent some questions to the undertow
dev-mailing list regarding dynamic vhost configuration:
<div><a href="http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html" target="_blank">http://lists.jboss.org/piperma<wbr>il/undertow-dev/2016-August/<wbr>001668.html</a><br>
</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-08-05 21:26 GMT+02:00
Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Yeah, on the Client creation page, instead of
oidc or saml, you can pick "proxied". You
would specify the URL pattern of incoming
requests and the URL pattern to forward HTTP
requests and bam, it just works. Set up some
virtual host table on demand with Undertow.<br>
</p>
<div>
<div> <br>
<div>On 8/5/16 11:36 AM, Thomas Darimont
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Sounds interesting...
<div><br>
</div>
<div>could you provide a bit more detail
about what you have in mind?</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-08-05
16:38 GMT+02:00 Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Bump.<br>
<br>
I'm going to keep bumping this
occasionally to see if somebody in
the<br>
community wants to take this on.<br>
<div>
<div><br>
<br>
On 8/4/16 8:30 PM, Bill Burke
wrote:<br>
> I think we should combine
Keycloak Proxy with the keycloak
server. When<br>
> creating a client, you
would have an option to declare
it as a proxied<br>
> client. This is way better
than what we currently have as
we woudln't<br>
> have to do SAML or OIDC so
it would be more performant and
it would<br>
> require no additional
setup.<br>
><br>
>
______________________________<wbr>_________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>