[keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces
Mauricio Salatino
salaboy at gmail.com
Thu Sep 7 06:35:49 EDT 2017
Because I failed to mention that I'm using the Spring Boot Adapter, I'm
wondering now if we need something like this:
"auth-server-url-for-backend-requests"
->
https://github.com/keycloak/keycloak/search?utf8=✓&q=auth-server-url-for-backend-requests&type=
Or if it was deprecated or not recommeneded to use.
On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino <salaboy at gmail.com>
wrote:
> Hi everyone,
> We using Keycloak behind a gateway (Zuul) and we are having issues with
> keycloak adapters not being able to validate the JWT token issued on behalf
> of an external client. Our Gateway is forwarding all the X-FORWARDED-*
> headers correctly so the token is issued correctly but the problem is that
> our adapters (in our services) contains the following configuration:
>
> keycloak.auth-server-url=*<local ip of keycloak server>:<port>/auth*
>
> Now the problem that we are facing is that the token will not be able to
> be validated by the adapter, because it was issued for the external IP and
> the adapter is pointing to the local ip, so the token validation fails.
>
> I've seen several threads and jira issues about this problem without a
> clear solution and it sounds like the adapter's code can be easily extended
> to support this scenario. Now the question is where that information should
> live:
> 1) It can be set to the realm configuration so the adapter picks that up
> on start up and then use that information for the token validation
> 2) I can be picked up by the service that is getting the external IP in
> the X-FORWARDED-* headers (this might cause a security issue ??? )
>
> We can provide the code for the solution but before start coding we want
> to know what are your opinions on the matter and if this have been solved
> before.
>
> Cheers
>
> Mauricio
>
>
> --
> - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
> - Co-Founder @ http://www.jugargentina.org
> - Co-Founder @ http://www.jbug.com.ar
>
> - Salatino "Salaboy" Mauricio -
>
--
- MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
- Co-Founder @ http://www.jugargentina.org
- Co-Founder @ http://www.jbug.com.ar
- Salatino "Salaboy" Mauricio -
More information about the keycloak-user
mailing list