[keycloak-user] Keycloak Proxy passing thorugh unauthenticated

Tue May 17 16:05:25 EDT 2016

The access token is a Json Web Signature (JWS) signed by the realm.  
What you're describing is bearer token auth.  The different being that 
the token is in the KEYCLOAK_ACCESS_TOKEN header rather than the 
Authorization header.

On 5/17/16 3:28 PM, Guy Bowdler wrote:
> Hi Jason,
>
> Thanks for your input.  Rest assured this all under consideration, 
> especially the authorisation side of things. The keycloak proxy does 
> look like it exposes key fields in headers that are otherwise quite 
> tricky to extract by other means and that can be easily processed by 
> the application.  Ensuring that no header manipulation may be 
> trickier, but there should be some signing in the JWT our devs can 
> check against
>
> Guy Bowdler
>
> Dorset Networks
> 01202 694966 | 07793 290798 | www.dorsetnetworks.com 
> <http://www.dorsetnetworks.com>
> Website and email hosting | Computer Networks
>
>
>
>
>> On 17 May 2016, at 18:42, Jason Axley <jaxley at expedia.com 
>> <mailto:jaxley at expedia.com>> wrote:
>>
>> Not requiring a plugin is a fine design goal, but the applications 
>> must have custom code to at least extract the user’s identity 
>> information from the HTTP requests.  It would be best design approach 
>> to actually provide the application with *verifiable* identity 
>> information in the form of the JWT that can be verified with a plugin 
>> or inside the same set of application code that is responsible for 
>> extracting the identity for the request.
>>
>> Perhaps since the access token is sent along as KEYCLOAK_ACCESS_TOKEN 
>> so the server could request the JWT if they knew the URL?  I would be 
>> sure to document how integrating applications behind the proxy should 
>> securely integrate and validate the identity information, otherwise 
>> apps won’t do this securely.
>>
>> Secure design necessitates replacing assumptions with controls 
>> wherever possible.  Assumptions such as “there is no bad guy on my 
>> network” are pretty devastating to security and in practice 
>> impossible to ensure but a control such as “attackers cannot forge 
>> JWT tokens“ are much more robust and easy to reason about.
>>
>> -Jason
>>
>> On 5/13/16, 11:58 AM, "keycloak-user-bounces at lists.jboss.org 
>> <mailto:keycloak-user-bounces at lists.jboss.org> on behalf of Bill 
>> Burke" <keycloak-user-bounces at lists.jboss.org 
>> <mailto:keycloak-user-bounces at lists.jboss.org> on behalf of 
>> bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
>>
>>> The idea of the proxy is that the secured app doesn't have to have a
>>> plugin.  The secured app is supposed to be on a private network and the
>>> proxy sits on a public one.
>>>
>>>
>>> On 5/13/16 11:52 AM, Jason Axley wrote:
>>>> From my read of the design, it doesn’t look like the proxy design 
>>>> provides a secure way of front-ending an application that won’t 
>>>> allow someone with network access behind the proxy to access the 
>>>> application either without authentication or by impersonating any 
>>>> user since the design appears to rely on HTTP headers set with 
>>>> identity information sent to the backend application.
>>>>
>>>> A better design would have been to pass the actual Id Token to the 
>>>> backend application so that the backend application can actually 
>>>> verify the identity signature on the JWT so that someone can’t just 
>>>> fabricate arbitrary identity information.  I would think this could 
>>>> work in concert with an application plugin that could consume these 
>>>> tokens and validate and make the identity information available to 
>>>> the application in a trustworthy manner.
>>>>
>>>> -Jason
>>>>
>>>> On 5/13/16, 8:00 AM, "keycloak-user-bounces at lists.jboss.org 
>>>> <mailto:keycloak-user-bounces at lists.jboss.org> on behalf of Guy 
>>>> Bowdler" <keycloak-user-bounces at lists.jboss.org 
>>>> <mailto:keycloak-user-bounces at lists.jboss.org> on behalf of 
>>>> guybowdler at dorsetnetworks.com 
>>>> <mailto:guybowdler at dorsetnetworks.com>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We've got the Keycloak Security Proxy (official one -
>>>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html)
>>>>> running and passing to an nginx proxy which is in turn proxying out
>>>>> different apps, ie:
>>>>>
>>>>> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse 
>>>>> Proxy]
>>>>> ------> [application]
>>>>>
>>>>> Where [] denotes a different box, the ProxyBox is hostname.domain and
>>>>> the apps are published as hostname.domain/appname
>>>>>
>>>>>
>>>>> However, the client is able to access the application without
>>>>> authentication, we have clients and roles set up in keycloak and the
>>>>> config looks ok (although obviously isn't!)
>>>>>
>>>>> Are there any KeyCloak Proxy logs we can look at, or debugging 
>>>>> options?
>>>>> I haven't found any as yet andnothing is jumping out of the config.
>>>>>
>>>>> We can access the back end apps ok either from the Keycloak proxy
>>>>> running on ports 80 or 443 or via the nginx proxy on 8080 (and 
>>>>> yes, this
>>>>> latter connection will be restricted to localhost when it's working!).
>>>>> The keycloak proxy config is very similar to the default except the
>>>>> values from the keycloak installation GUI have been pasted in.
>>>>>
>>>>> Any troubleshooting tips would be much appreciated!
>>>>>
>>>>> thanks in advance:)
>>>>>
>>>>> Guy
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160517/887e137f/attachment-0001.html 