<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>The access token is a Json Web Signature (JWS) signed by the
realm. What you're describing is bearer token auth. The
different being that the token is in the KEYCLOAK_ACCESS_TOKEN
header rather than the Authorization header.<br>
</p>
<br>
<div class="moz-cite-prefix">On 5/17/16 3:28 PM, Guy Bowdler wrote:<br>
</div>
<blockquote
cite="mid:6C1B7781-FB36-433B-8E5B-67D0E1BB3384@dorsetnetworks.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Jason,
<div class=""><br class="">
</div>
<div class="">Thanks for your input. Rest assured this all under
consideration, especially the authorisation side of things.
The keycloak proxy does look like it exposes key fields in
headers that are otherwise quite tricky to extract by other
means and that can be easily processed by the application.
Ensuring that no header manipulation may be trickier, but there
should be some signing in the JWT our devs can check against<br
class="">
<div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br
class="Apple-interchange-newline">
Guy Bowdler</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br
class="">
</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Dorset
Networks</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">01202
694966 | 07793 290798 | <a moz-do-not-send="true"
href="http://www.dorsetnetworks.com" class="">www.dorsetnetworks.com</a></div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Website
and email hosting | Computer Networks</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br
class="">
</div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br
class="">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 17 May 2016, at 18:42, Jason Axley <<a
moz-do-not-send="true" href="mailto:jaxley@expedia.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:jaxley@expedia.com">jaxley@expedia.com</a></a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Not requiring a plugin is a fine design
goal, but the applications must have custom code to at
least extract the user’s identity information from the
HTTP requests. It would be best design approach to
actually provide the application with *verifiable*
identity information in the form of the JWT that can be
verified with a plugin or inside the same set of
application code that is responsible for extracting the
identity for the request.<br class="">
<br class="">
Perhaps since the access token is sent along as
KEYCLOAK_ACCESS_TOKEN so the server could request the
JWT if they knew the URL? I would be sure to document
how integrating applications behind the proxy should
securely integrate and validate the identity
information, otherwise apps won’t do this securely.<br
class="">
<br class="">
Secure design necessitates replacing assumptions with
controls wherever possible. Assumptions such as “there
is no bad guy on my network” are pretty devastating to
security and in practice impossible to ensure but a
control such as “attackers cannot forge JWT tokens“ are
much more robust and easy to reason about. <br class="">
<br class="">
-Jason<br class="">
<br class="">
On 5/13/16, 11:58 AM, "<a moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
class="">keycloak-user-bounces@lists.jboss.org</a> on
behalf of Bill Burke" <<a moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
class="">keycloak-user-bounces@lists.jboss.org</a> on
behalf of <a moz-do-not-send="true"
href="mailto:bburke@redhat.com" class="">bburke@redhat.com</a>>
wrote:<br class="">
<br class="">
<blockquote type="cite" class="">The idea of the proxy
is that the secured app doesn't have to have a <br
class="">
plugin. The secured app is supposed to be on a
private network and the <br class="">
proxy sits on a public one.<br class="">
<br class="">
<br class="">
On 5/13/16 11:52 AM, Jason Axley wrote:<br class="">
<blockquote type="cite" class=""> From my read of the
design, it doesn’t look like the proxy design
provides a secure way of front-ending an application
that won’t allow someone with network access behind
the proxy to access the application either without
authentication or by impersonating any user since
the design appears to rely on HTTP headers set with
identity information sent to the backend
application.<br class="">
<br class="">
A better design would have been to pass the actual
Id Token to the backend application so that the
backend application can actually verify the identity
signature on the JWT so that someone can’t just
fabricate arbitrary identity information. I would
think this could work in concert with an application
plugin that could consume these tokens and validate
and make the identity information available to the
application in a trustworthy manner.<br class="">
<br class="">
-Jason<br class="">
<br class="">
On 5/13/16, 8:00 AM, "<a moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
class="">keycloak-user-bounces@lists.jboss.org</a>
on behalf of Guy Bowdler" <<a
moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
class=""><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a></a>
on behalf of <a moz-do-not-send="true"
href="mailto:guybowdler@dorsetnetworks.com"
class="">guybowdler@dorsetnetworks.com</a>>
wrote:<br class="">
<br class="">
<blockquote type="cite" class="">Hi,<br class="">
<br class="">
We've got the Keycloak Security Proxy (official
one -<br class="">
<a moz-do-not-send="true"
href="https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html"
class="">https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html</a>)<br
class="">
running and passing to an nginx proxy which is in
turn proxying out<br class="">
different apps, ie:<br class="">
<br class="">
[client] ----> [:80|443 KeyCloak Proxy ---->
:8080 Nginx Reverse Proxy]<br class="">
------> [application]<br class="">
<br class="">
Where [] denotes a different box, the ProxyBox is
hostname.domain and<br class="">
the apps are published as hostname.domain/appname<br
class="">
<br class="">
<br class="">
However, the client is able to access the
application without<br class="">
authentication, we have clients and roles set up
in keycloak and the<br class="">
config looks ok (although obviously isn't!)<br
class="">
<br class="">
Are there any KeyCloak Proxy logs we can look at,
or debugging options?<br class="">
I haven't found any as yet andnothing is jumping
out of the config.<br class="">
<br class="">
We can access the back end apps ok either from the
Keycloak proxy<br class="">
running on ports 80 or 443 or via the nginx proxy
on 8080 (and yes, this<br class="">
latter connection will be restricted to localhost
when it's working!).<br class="">
The keycloak proxy config is very similar to the
default except the<br class="">
values from the keycloak installation GUI have
been pasted in.<br class="">
<br class="">
Any troubleshooting tips would be much
appreciated!<br class="">
<br class="">
thanks in advance:)<br class="">
<br class="">
Guy<br class="">
<br class="">
_______________________________________________<br
class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class="">
</blockquote>
<br class="">
_______________________________________________<br
class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
class="">keycloak-user@lists.jboss.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class="">
</blockquote>
<br class="">
_______________________________________________<br
class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br
class="">
</blockquote>
<br class="">
<br class="">
_______________________________________________<br
class="">
keycloak-user mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
</body>
</html>