[keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces

Thu Sep 7 09:53:19 EDT 2017

Sebastien, thanks a lot for the answer,
regarding the discussion about removing "auth-server-url-for-backend-requests"
I do understand why that was made.
The main problem that we are facing right now is that solving those issues
with DNS will work for most of the cases but not for environments such as
docker compose and minikube, where the
token verification is done comparing Strings and those strings contains
hosts and ports all together.

I good idea might be to add more flexibility to that verification, where we
can compare that the host is the same but ports might be different. DNS
resolution will work out the names but not the ports.

Regarding a Reverse proxy, we are looking into it.

On Thu, Sep 7, 2017 at 1:42 PM, Sebastien Blanc <sblanc at redhat.com> wrote:

> Here is the discussion on why "auth-server-url-for-backend-requests" was
> removed : http://lists.jboss.org/pipermail/keycloak-dev/2016-
> March/006783.html
>
> Can't you use a Reverse Proxy ? TBH I don't master enough this subject and
> would liek to hear the opinions from the community on this subject.
>
> On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino <salaboy at gmail.com>
> wrote:
>
>> Because I failed to mention that I'm using the Spring Boot Adapter, I'm
>> wondering now if we need something like this:
>> "auth-server-url-for-backend-requests"
>>
>> ->
>> https://github.com/keycloak/keycloak/search?utf8=✓&q=auth-se
>> rver-url-for-backend-requests&type=
>>
>> Or if it was deprecated or not recommeneded to use.
>>
>>
>>
>> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino <salaboy at gmail.com>
>> wrote:
>>
>> > Hi everyone,
>> > We using Keycloak behind a gateway (Zuul) and we are having issues with
>> > keycloak adapters not being able to validate the JWT token issued on
>> behalf
>> > of an external client. Our Gateway is forwarding all the X-FORWARDED-*
>> > headers correctly so the token is issued correctly but the problem is
>> that
>> > our adapters (in our services) contains the following configuration:
>> >
>> > keycloak.auth-server-url=*<local ip of keycloak server>:<port>/auth*
>> >
>> > Now the problem that we are facing is that the token will not be able to
>> > be validated by the adapter, because it was issued for the external IP
>> and
>> > the adapter is pointing to the local ip, so the token validation fails.
>> >
>> > I've seen several threads and jira issues about this problem without a
>> > clear solution and it sounds like the adapter's code can be easily
>> extended
>> > to support this scenario. Now the question is where that information
>> should
>> > live:
>> > 1) It can be set to the realm configuration so the adapter picks that up
>> > on start up and then use that information for the token validation
>> > 2) I can be picked up by the service that is getting the external IP in
>> > the X-FORWARDED-* headers (this might cause a security issue ??? )
>> >
>> > We can provide the code for the solution but before start coding we want
>> > to know what are your opinions on the matter and if this have been
>> solved
>> > before.
>> >
>> > Cheers
>> >
>> > Mauricio
>> >
>> >
>> > --
>> >  - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
>> >  - Co-Founder @ http://www.jugargentina.org
>> >  - Co-Founder @ http://www.jbug.com.ar
>> >
>> >  - Salatino "Salaboy" Mauricio -
>> >
>>
>>
>>
>> --
>>  - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
>>  - Co-Founder @ http://www.jugargentina.org
>>  - Co-Founder @ http://www.jbug.com.ar
>>
>>  - Salatino "Salaboy" Mauricio -
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

-- 
 - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
 - Co-Founder @ http://www.jugargentina.org
 - Co-Founder @ http://www.jbug.com.ar

 - Salatino "Salaboy" Mauricio -