+1
I wonder if it's cleaner that we also add existing stuff in
ServerInfoAdminResource to this SPI?
One minor thing, it seems there is not handling of preflight OPTIONS
request in your new endpoint?
Marek
On 06/01/17 09:31, Stian Thorgersen wrote:
I've been looking at some issues with reverse proxy when Keycloak
is
installed on EAP 7.0.3+ [1]. While doing so I found out that it's fairly
inconvenient and not straightforward to debug if the proxy configuration is
correct.
To verify URLs you have to for example open the well-known endpoint for
OIDC. Then you have to verify the remote IP address by doing a failed login
attempt and looking at the server log.
To make this simpler I propose adding the start of a server info endpoint.
It will be a SPI that allows plugging in server info providers that can
show different details if authenticated or not.
You can either view info for all providers at a time with
"/realms/master/.info" or for a specific provider
"/realms/master/.info/proxy".
The proxy info provider will display:
{
"authServerUrl" : "http://host1/auth",
"remoteAddress" : "127.0.0.1",
"proxyDetected" : true,
"headers" : {
"Host" : "host1",
"X-Forwarded-For" : "1.2.3.4",
"X-Forwarded-Host" : "host2",
"X-Forwarded-Proto" : "https"
}
}
Implementation is ready [2] I just need to get feedback and add tests.
In the future we can expand on this to for instance provide a health
monitoring endpoint that allows checking the server health (JPA
connections, Infinispan connections, IdP connections, user fed connections,
etc.).
[1]
https://issues.jboss.org/browse/KEYCLOAK-4149
[2]
https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e...
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev