* Can/Should one Keycloak Proxy virtual host and proxy multiple apps in
same instance? One thing stopping this is SSL. If Keycloak Proxy is
handling SSL, then there is no possibility of virtual hosting. If the
load balancer is handling SSL, then this is a possibility.
You can have multiple virtual hosts with the TLS endpoint being KC. We do
ti with OpenUnison and apache lets you do it I think with TLS 1.2 and
apache 2.4 (I have a customer thats doing that right now so I know it
works). So long as the cert has multiple Subject Alternative Names or is a
wildcard it should work.
* Keycloak Proxy currently needs an HttpSession as it stores
authentication information (JWS access token and Refresh Token) there so
it can forward it to the application. We'd have to either shrink needed
information so it could be stored in a cookie, or replication sessions.
THe latter of which would have the same issues with cross DC.
OpenUnison originally took the "everything in a cookie" approach, the
cookie quickly got too big to be effective and we had to switch to
maintaining a backend session.
I know I've brought this up before, but I'd like to offer up OpenUnison as
a starting point:
https://github.com/tremolosecurity/openunison. OU
probably has 70%-80% of what you are looking for. It already has the
reverse proxy code built in, written in Java, supports extensibility via
multiple mechanisms, an authorization subsystem that can easily be extended
to support an external az service and we have an extensible last mile
system for legacy apps that don't support openid connect for apache, .net
and Java. We also have multiple production deployments (including public
safety applications).
From a corporate standpoint we're already Red Hat partners at
multiple
levels. We're sponsoring Summit this year again and I'll be doing
a
session on OpenShift identity management and compliance.
Thanks
--
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity