8:38 a.m.
You should rethink your position, IMO. Its actually a huge benefit in
both usability and performance.
Usability in that you don't have to configure and run a completely
different program/process that is configured completely different than
Keycloak. You can configure and manage all clients in one place.
Performance is that you get rid of all the redirects that happen with
SAML and OIDC. FOr your performance concern, you would just assign only
a set of specific nodes that would be your proxy. So, if you had a
keycloak cluster of 4 nodes, 2 nodes could be designated solely as proxy
nodes, the other 2 for normal SSO.
On 8/15/16 7:44 AM, Stian Thorgersen wrote:
I'm not convinced about this. A lot of complexity for what seems
like
little benefit. The improvement of not having to do OIDC would
probably end up being outweighed by all requests going through
Keycloak rather than a separate proxy.
On 9 August 2016 at 11:06, Thomas Darimont
<thomas.darimont(a)googlemail.com
<mailto:thomas.darimont@googlemail.com>> wrote:
FYI, I sent some questions to the undertow dev-mailing list
regarding dynamic vhost configuration:
http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
<http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html>
Cheers,
Thomas
2016-08-05 21:26 GMT+02:00 Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>>:
Yeah, on the Client creation page, instead of oidc or saml,
you can pick "proxied". You would specify the URL pattern of
incoming requests and the URL pattern to forward HTTP requests
and bam, it just works. Set up some virtual host table on
demand with Undertow.
On 8/5/16 11:36 AM, Thomas Darimont wrote:
> Sounds interesting...
>
> could you provide a bit more detail about what you have in mind?
>
> Cheers,
> Thomas
>
> 2016-08-05 16:38 GMT+02:00 Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>>:
>
> Bump.
>
> I'm going to keep bumping this occasionally to see if
> somebody in the
> community wants to take this on.
>
>
> On 8/4/16 8:30 PM, Bill Burke wrote:
> > I think we should combine Keycloak Proxy with the
> keycloak server. When
> > creating a client, you would have an option to declare
> it as a proxied
> > client. This is way better than what we currently have
> as we woudln't
> > have to do SAML or OIDC so it would be more performant
> and it would
> > require no additional setup.
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>