On 3/13/17 9:05 PM, Marc Boorshtein wrote:
* Can/Should one Keycloak Proxy virtual host and proxy multiple
apps in
same instance? One thing stopping this is SSL. If Keycloak Proxy is
handling SSL, then there is no possibility of virtual hosting. If the
load balancer is handling SSL, then this is a possibility.
You can have multiple virtual hosts with the TLS endpoint being KC.
We do ti with OpenUnison and apache lets you do it I think with TLS
1.2 and apache 2.4 (I have a customer thats doing that right now so I
know it works). So long as the cert has multiple Subject Alternative
Names or is a wildcard it should work.
Didn't know that, I'll have to try
it out. I thought the browser only
validated by looking at the CN. Thanks for that.
* Keycloak Proxy currently needs an HttpSession as it stores
authentication information (JWS access token and Refresh Token)
there so
it can forward it to the application. We'd have to either shrink
needed
information so it could be stored in a cookie, or replication
sessions.
THe latter of which would have the same issues with cross DC.
OpenUnison originally took the "everything in a cookie" approach, the
cookie quickly got too big to be effective and we had to switch to
maintaining a backend session.
We already have a cookie option with our Java
saml/oidc adapters that
some users prefer. Not everybody is trying to solve the worlds problems
with their identity tokens.
I know I've brought this up before, but I'd like to offer up
OpenUnison as a starting point:
https://github.com/tremolosecurity/openunison. OU probably has 70%-80%
of what you are looking for. It already has the reverse proxy code
built in, written in Java, supports extensibility via multiple
mechanisms, an authorization subsystem that can easily be extended to
support an external az service and we have an extensible last mile
system for legacy apps that don't support openid connect for apache,
.net and Java. We also have multiple production deployments
(including public safety applications).
From a corporate standpoint we're already Red Hat partners at
multiple
levels. We're sponsoring Summit this year again and I'll be doing a
session on OpenShift identity management and compliance.
So nice of you to hijack the thread to promote your own product. Not
very professional. Its a bit hypocritical of me to say this as I've
done it myself in the past and received a lot of crap for it. Now
that its being done to my project I can see why people get upset over
it. This isn't the first time you've done this. If you do it again,
we'll remove you from the list. I really don't give a shit if you're a
partner or not.
Cheers,
Bill