Yes, I was logged-in to the master realm when testing this.
On Tue, Jul 31, 2018 at 12:08 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
I assume you're creating the initial access token when logged-in
to the
master realm right? Will add a testcase for that specifically and fix it.
Probably just need to change the realm in the KeycloakContext when creating
the token.
On Tue, 31 Jul 2018 at 10:59, Johannes Knutsen <johannes(a)kodet.no> wrote:
>
> Just tested this branch. This seems like a good change.
> However, I have an issue when creating an Initial Access Token in a
> realm configured with a fixed hostname different from the hostname
> used when accessing the admin console. The resulting initial access
> token gets the request hostname as issuer and not the fixed hostname
> configured for the realm. I expected the issuer to have the same
> hostname as the fixed realm configuration.
>
> - Johannes
>
> On Mon, Jul 30, 2018 at 10:56 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
> > I've got a working prototype now. If anyone wants to take a look and
> > review
> > that would be great. It's mainly missing tests at the moment.
> >
> >
https://github.com/stianst/keycloak/tree/KEYCLOAK-7967
> >
> > Some implementation details:
> >
> > * There's two providers: request (current Keycloak behaviour) and fixed
> > * When 'fixed' provider is selected the admin console will let you set
a
> > hostname for a realm
> > * 'fixed' provider by default uses http and https port -1. This will
> > result
> > in no ports in the URLs. If for some reason you need to set different
> > than
> > default http/https ports for public URLs then you can set the
> > httpPort/httpsPort properties on the fixed provider (this can't be
> > overridden per realm)
> >
> > Now I need to figure out how to test it, which is going to be a bit
> > tricky
> > as we don't have support to restart the server from the tests at the
> > moment.
> >
> >
> > On Mon, 30 Jul 2018 at 13:51, Stian Thorgersen <sthorger(a)redhat.com>
> > wrote:
> >
> >>
> >>
> >> On Mon, 30 Jul 2018 at 13:28, Sebastian Laskawiec
<slaskawi(a)redhat.com>
> >> wrote:
> >>
> >>>
> >>>
> >>> On Mon, Jul 30, 2018 at 1:05 PM Stian Thorgersen
<sthorger(a)redhat.com>
> >>> wrote:
> >>>
> >>>> Keycloak needs to know its public URL for a number of reasons. For
> >>>> example
> >>>> in the OIDC well-known endpoint, issuer in tokens and emails sent
to
> >>>> users.
> >>>>
> >>>> At the moment we retrieve this from the request headers and have
> >>>> documented
> >>>> how to block requests with invalid URLs (
> >>>>
https://www.keycloak.org/docs/latest/server_admin/index.html#host).
> >>>> The
> >>>> latter is important in production installations.
> >>>>
> >>>> There's two problems with the current approach:
> >>>>
> >>>> 1) Clients in the same subnet can't use internal IP to
communicate
> >>>> with
> >>>> Keycloak
> >>>> 2) Configuring the valid URLs is an important step to secure a
> >>>> production
> >>>> installation, but the current approach is probably not well known
and
> >>>> is
> >>>> rather messy to configure
> >>>
> >>>
> >>>> I propose we introduce an BaseURL SPI to allow a flexible way to
> >>>> determine
> >>>> the base URL. We would add two implementations OOTB:
> >>>>
> >>>> 1) Request - this would be set as the default-provider and would
> >>>> determine
> >>>> the base url from request headers as we do today
> >>>> 2) Fixed - this would allow setting a hardcoded public URL
> >>>>
> >>>
> >>> How about adding a third option - "None". This would mean the
Keycloak
> >>> operates without a fixed public IP (the implementation could probably
> >>> call
> >>> back into "localhost:8080/auth" using a "Fixed"
implementation).
> >>> However,
> >>> with "None" we would be explicitly saying that there's no
public IP
> >>> and all
> >>> requests need to be local (e.g. from the same machine or Pod (sidecar
> >>> approach)).
> >>>
> >>
> >> Keycloak has to know what URL users should be accessing it on. That can
> >> be
> >> an internal URL or external URL, but Keycloak needs to know the actual
> >> URL.
> >> There's really no such thing as a Keycloak server only reached
> >> internally.
> >> Users needs to be able to login, they need links in password recovery
> >> emails, etc, etc.
> >>
> >>
> >>>
> >>>
> >>>>
> >>>> In standalone.xml it would look like this:
> >>>>
> >>>> <spi name="baseURL">
> >>>> <default-provider>request</default-provider>
> >>>> <provider name="fixed">
> >>>> <properties>
> >>>> <property name="baseURL"
value="localhost:8080/auth"/>
> >>>> </properties>
> >>>> </provider>
> >>>> </spi>
> >>>>
> >>>> For production the default-provider should be changed to fixed and
> >>>> the
> >>>> baseURL value should be changed. This can be handled either through
> >>>> manual
> >>>> editing standalone.xml or with jboss-cli.
> >>>>
> >>>
> >>> How about using the "None" as the default here?
> >>>
> >>>
> >>>>
> >>>> Once this is incorporated it will make it easy to add support for
> >>>> backchannel URL back to the adapters to allow adapters to use
> >>>> internal IP
> >>>> address when communicating with Keycloak.
> >>>>
> >>>> Implementation shouldn't be hard. It's mainly about making
sure that
> >>>> UriInfo is retrieved from KeycloakSession#KeycloakContext and not
> >>>> injected
> >>>> directly.
> >>>>
> >>>> If anyone has more complex requirements for determining the public
> >>>> URL
> >>>> they
> >>>> can implement their own provider to handle it.
> >>>>
> >>>> One thing I'm not sure about is if it's common to use
different URLs
> >>>> for
> >>>> different realms. If that's the case we may consider adding
some
> >>>> support
> >>>> for mapping different realms to different baseURLs. I don't
think
> >>>> this is
> >>>> common though.
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev(a)lists.jboss.org
> >>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev