<html><head></head><body>Thanks for your reply Chris,<br>
<br>
Good point about the constraints I'll check tomorrow, must admit I'd forgotten all about them, just assumed you'd have to login regardless. <br>
<br>
So from what you say, there is no currently supported way of getting key cloak to authenticate direct from the proxy. Is this correct?<br>
<br>
Kind regards<br>
<br>
Guy <br>
<br><br><div class="gmail_quote">On 15 May 2016 15:39:59 BST, Chris Pitman <cpitman@redhat.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">I'm using the proxy in one of my environments and it definitely is requiring authentication. The logs are pretty poor, so debugging is a pain.<br /><br />Two possibilities come to mind:<br /><br />First, are you sure you haven't already authenticated? If you look at the network activity in your browser, are you redirected to keycloak then directed back to your app?<br /><br />Second, have you set constraints in the proxy config? Do those constraints (starting at your configured base path) match the urls you are trying to hit?<br /><br />Bill: As far as I am aware, neither of those httpd modules are supported by us either. A supported option for getting SSO in front of legacy apps is step 1 of getting in the door at clients. If we do end up telling customers to use an apache module, adding generated config for them to the web ui would really help.<br /><br />Chris Pitman<br />Senior Architect, Red Hat Consulting<br /><br />----- Original Message -----<br
/><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> <br /> <br /> FYI I haven't touched this code in more than a year and have been relying on<br /> the community to maintain it. Why? Well, we're not supporting it in product<br /> and Apache plugins like mod-auth-mellon and mod-auth-oidc exist. We're also<br /> talking to other teams like API Man to see if we can offload the proxy on<br /> them. Anyways, sounds like lame excuses...I know you just want answers...<br /> <br /> On 5/13/16 4:33 PM, Guy Bowdler wrote:<br /> <br /> <br /> Also, you just need to configure and back end proxy only to accept<br /> connections from the key cloak proxy to secure, we've just left it open for<br /> now to troubleshoot<br /> <br /> On 13 May 2016 19:58:47 BST, Bill Burke <bburke@redhat.com> wrote:<br /> <br /> <br /> The idea of the proxy is that the secured app doesn't have to have a<br /> plugin. The secured app is
supposed to be on a private network and the<br /> proxy sits on a public one.<br /> <br /> <br /> On 5/13/16 11:52 AM, Jason Axley wrote:<br /> <br /> From my read of the design, it doesn’t look like the proxy design provides a<br /> secure way of front-ending an application that won’t allow someone with<br /> network access behind the proxy to access the application either without<br /> authentication or by impersonating any user since the design appears to rely<br /> on HTTP headers set with identity information sent to the backend<br /> application.<br /> <br /> A better design would have been to pass the actual Id Token to the backend<br /> application so that the backend application can actually verify the<br /> identity signature on the JWT so that someone can’t just fabricate<br /> arbitrary identity information. I would think this could work in concert<br /> with an application plugin that could consume these tokens and validate and<br /> make the identity
information available to the application in a trustworthy<br /> manner.<br /> <br /> -Jason<br /> <br /> On 5/13/16, 8:00 AM, "keycloak-user-bounces@lists.jboss.org on behalf of Guy<br /> Bowdler" <keycloak-user-bounces@lists.jboss.org on behalf of<br /> guybowdler@dorsetnetworks.com> wrote:<br /> <br /> Hi,<br /> <br /> We've got the Keycloak Security Proxy (official one -<br /> <a href="https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html">https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html</a> )<br /> running and passing to an nginx proxy which is in turn proxying out<br /> different apps, ie:<br /> <br /> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx<br /> Reverse Proxy]<br /> ------> [application]<br /> <br /> Where [] denotes a different box, the ProxyBox is hostname.domain and<br /> the apps are published as hostname.domain/appname<br /> <br /> <br /> However, the client is able to access the
application without<br /> authentication, we have clients and roles set up in keycloak and the<br /> config looks ok (although obviously isn't!)<br /> <br /> Are there any KeyCloak Proxy logs we can look at, or debugging options?<br /> I haven't found any as yet andnothing is jumping out of the config.<br /> <br /> We can access the back end apps ok either from the Keycloak proxy<br /> running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this<br /> latter connection will be restricted to localhost when it's working!).<br /> The keycloak proxy config is very similar to the default except the<br /> values from the keycloak installation GUI have been pasted in.<br /> <br /> Any troubleshooting tips would be much appreciated! thanks in advance:)<br /> <br /> Guy<br /> keycloak-user mailing list keycloak-user@lists.jboss.org<br /> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br />
keycloak-user mailing list keycloak-user@lists.jboss.org<br /> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br /> keycloak-user mailing list keycloak-user@lists.jboss.org<br /> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br /> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.<br /> <br /><hr /><br /> keycloak-user mailing list<br /> keycloak-user@lists.jboss.org<br /> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br /></blockquote></pre></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>