[keycloak-user] Token Request Problems when Reverse Proxying to Keycloak Server

Roger Turnau (US - Advisory) roger.turnau at pwc.com
Fri Apr 21 15:52:54 EDT 2017


Hi all,

We have Keycloak set up in front of an AngularJS app. The app is served up
by an Apache server that lives in the DMZ, and it reverse proxies all
requests to a separate server behind the DMZ. We've noticed, however, that
token requests are not being successfully returned to the app, resulting in
users being logged out when, for instance, they do a page refresh. Or they
get logged out instantly when the Javascript adapter's authentication
iframe does its heartbeat check with the Keycloak server.

Our best guess at this point is that this is an Apache issue rather than a
Keycloak issue -- that our eventual solution will probably involve checking
our virtual host configuration, etc -- but I still wanted to see if anyone
could answer the following questions:


   1. Has anyone run into the same sorts of reverse proxying issues? If so,
   how did you solve them?
   2. What are the risks if, while searching for a solution, we were to
   temporarily move the Keycloak server into the DMZ, so that it is hosted on
   the same server that Apache is set up on? Is that an acceptable temporary
   fix while we work to resolve the underlying problem?

Thank you,

-- 
*Roger Turnau*

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau at pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.


More information about the keycloak-user mailing list