Hello,
I agree that one needs to be able to test this automatically... but this
needs some additional thought.
For now how about rolling out the proxy support behind a feature flag and
ask the community for feedback?
I tested this for google APIs but I'd assume that since the proxy is
transparently applied in case the target hostname
of a request matches the configured proxy pattern it will work just fine.
Btw. I just gave this a try with the registration recaptcha and it worked
fine.
I had to adjust the default Content-Security-Policy sent by Keycloak though:
from:
frame-src self; frame-ancestors 'self'; object-src 'none';
to:
frame-src self
; frame-ancestors 'self';
object-src 'none';
One thing that are currently missing in the proxy-support is support for
proxy authentication,
but this could be added later.
Cheers,
Thomas
2017-10-16 12:55 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
We'd need some way of automatically testing HTTP proxy support,
which is
non-trivial. The steps you've listed only manually checks Google, but what
about everything else that may need to go through the HTTP proxy? Captcha,
other IdPs, external clients, etc..
On 11 October 2017 at 14:26, Thomas Darimont <thomas.darimont@googlemail.
com> wrote:
> Hello,
>
> I've sent a PR [1] for KEYCLOAK-4743 [2] Add proxy support to
> HttpClientProvider SPI.
> The proposed implementation is based on the discussions from an older
> (rejected) PR [3]
>
> The current DefaultHttpClientProviderFactory doesn't support HTTP proxies
> which makes
> it very difficult to integrate social Identity Providers like google /
> facebook etc...
> when you are required to tunnel all external communications though a proxy
> server.
>
> Server Developers are currently required to either convince their network
> admins to
> loosen the proxy rules ... or provide a custom implementation of a
> HttpClientProvider,
> which is quite complex. Therefore it would be great if keycloak would add
> support
> for this out of the box.
>
> Since keycloak needs to be able to selectively use a (dedicated) proxy
> server
> for external and potentially no proxy for internal connections the
> configuration
> for that needs to be quite flexible.
>
> The current PR proposes to use an ordered list of proxymappings that match
> a http request host based on a regex pattern to a proxy uri which are
> processed
> by a new ProxyMappingsAwareRoutePlanner that is added to the internal
> HttpClient.
>
> A ProxyMapping has the form hostname-pattern;proxy-uri e.g.:
>
> .*\.(google|googleapis)\.com;http://www-proxy.acme.corp.com:8080
> .*\.acme\.corp\.com;NO_PROXY
> .*;http://fallback:8080
>
> (the catch all is optional)
> The first matching mapping defines the proxy to use. If no pattern matches
> then no proxy is used. One can also explicity define that certain
> connections should
> not use a proxy.
>
> ... and can be configured via jboss-cli
>
> echo SETUP: Configure proxy routes for HttpClient SPI
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
> r=default:add(enabled=true)
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
> r=default:write-attribute(name=properties.proxy-
>
mappings,value=[".*\\.(google|googleapis)\\.com;
>
http://www-proxy.acme.corp.com:8080",".*\\.acme\\.corp\\.com
> ;NO_PROXY",".*;
>
http://fallback:8080"])
>
> This can be tested as follows:
> 1) Apply the PR in branch, build a server distribution.
> 2) Start Keycloak with portOffset 10000 for http/https/ajp port.
> Configure the ProxyMappings in standalone.xml:
> via jboss-cli:
> echo SETUP: Configure proxy routes for HttpClient SPI
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
> r=default:add(enabled=true)
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
> r=default:write-attribute(name=properties.proxy-
>
mappings,value=[".*\\.(google|googleapis)\\.com;
>
http://localhost:8080"])
>
> 3) Download and start BurpSuite [4]
> 4) By default burpsuite starts a proxy server on port 8080
> 5) Register google as auth provider and check entries in burp proxy log
> (Note that you potentially need to explicitly forward the request in
> the
> proxy tab in Burp)
>
> WDYT?
>
> Cheers,
> Thomas
>
> [1]
https://github.com/keycloak/keycloak/pull/4543
> [2]
https://issues.jboss.org/browse/KEYCLOAK-4743
> [3]
https://github.com/keycloak/keycloak/pull/4040
> [4]
https://portswigger.net/burp/help/suite_gettingstarted.html
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>