7:30 p.m.
I think we should combine Keycloak Proxy with the keycloak server. When
creating a client, you would have an option to declare it as a proxied
client. This is way better than what we currently have as we woudln't
have to do SAML or OIDC so it would be more performant and it would
require no additional setup.
9:38 a.m.
Bump.
I'm going to keep bumping this occasionally to see if somebody in the
community wants to take this on.
On 8/4/16 8:30 PM, Bill Burke wrote:
I think we should combine Keycloak Proxy with the keycloak server.
When
creating a client, you would have an option to declare it as a proxied
client. This is way better than what we currently have as we woudln't
have to do SAML or OIDC so it would be more performant and it would
require no additional setup.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:36 a.m.
Sounds interesting...
could you provide a bit more detail about what you have in mind?
Cheers,
Thomas
2016-08-05 16:38 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
Bump.
I'm going to keep bumping this occasionally to see if somebody in the
community wants to take this on.
On 8/4/16 8:30 PM, Bill Burke wrote:
> I think we should combine Keycloak Proxy with the keycloak server. When
> creating a client, you would have an option to declare it as a proxied
> client. This is way better than what we currently have as we woudln't
> have to do SAML or OIDC so it would be more performant and it would
> require no additional setup.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:26 p.m.
Yeah, on the Client creation page, instead of oidc or saml, you can pick
"proxied". You would specify the URL pattern of incoming requests and
the URL pattern to forward HTTP requests and bam, it just works. Set up
some virtual host table on demand with Undertow.
On 8/5/16 11:36 AM, Thomas Darimont wrote:
Sounds interesting...
could you provide a bit more detail about what you have in mind?
Cheers,
Thomas
2016-08-05 16:38 GMT+02:00 Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>>:
Bump.
I'm going to keep bumping this occasionally to see if somebody in the
community wants to take this on.
On 8/4/16 8:30 PM, Bill Burke wrote:
> I think we should combine Keycloak Proxy with the keycloak
server. When
> creating a client, you would have an option to declare it as a
proxied
> client. This is way better than what we currently have as we
woudln't
> have to do SAML or OIDC so it would be more performant and it would
> require no additional setup.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
4:06 a.m.
FYI, I sent some questions to the undertow dev-mailing list regarding
dynamic vhost configuration:
http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
Cheers,
Thomas
2016-08-05 21:26 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
Yeah, on the Client creation page, instead of oidc or saml, you can
pick
"proxied". You would specify the URL pattern of incoming requests and the
URL pattern to forward HTTP requests and bam, it just works. Set up some
virtual host table on demand with Undertow.
On 8/5/16 11:36 AM, Thomas Darimont wrote:
Sounds interesting...
could you provide a bit more detail about what you have in mind?
Cheers,
Thomas
2016-08-05 16:38 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
> Bump.
>
> I'm going to keep bumping this occasionally to see if somebody in the
> community wants to take this on.
>
>
> On 8/4/16 8:30 PM, Bill Burke wrote:
> > I think we should combine Keycloak Proxy with the keycloak server. When
> > creating a client, you would have an option to declare it as a proxied
> > client. This is way better than what we currently have as we woudln't
> > have to do SAML or OIDC so it would be more performant and it would
> > require no additional setup.
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
6:44 a.m.
I'm not convinced about this. A lot of complexity for what seems like
little benefit. The improvement of not having to do OIDC would probably end
up being outweighed by all requests going through Keycloak rather than a
separate proxy.
On 9 August 2016 at 11:06, Thomas Darimont <thomas.darimont(a)googlemail.com>
wrote:
FYI, I sent some questions to the undertow dev-mailing list
regarding
dynamic vhost configuration:
http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
Cheers,
Thomas
2016-08-05 21:26 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
> Yeah, on the Client creation page, instead of oidc or saml, you can pick
> "proxied". You would specify the URL pattern of incoming requests and the
> URL pattern to forward HTTP requests and bam, it just works. Set up some
> virtual host table on demand with Undertow.
>
> On 8/5/16 11:36 AM, Thomas Darimont wrote:
>
> Sounds interesting...
>
> could you provide a bit more detail about what you have in mind?
>
> Cheers,
> Thomas
>
> 2016-08-05 16:38 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
>
>> Bump.
>>
>> I'm going to keep bumping this occasionally to see if somebody in the
>> community wants to take this on.
>>
>>
>> On 8/4/16 8:30 PM, Bill Burke wrote:
>> > I think we should combine Keycloak Proxy with the keycloak server.
>> When
>> > creating a client, you would have an option to declare it as a proxied
>> > client. This is way better than what we currently have as we woudln't
>> > have to do SAML or OIDC so it would be more performant and it would
>> > require no additional setup.
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:38 a.m.
You should rethink your position, IMO. Its actually a huge benefit in
both usability and performance.
Usability in that you don't have to configure and run a completely
different program/process that is configured completely different than
Keycloak. You can configure and manage all clients in one place.
Performance is that you get rid of all the redirects that happen with
SAML and OIDC. FOr your performance concern, you would just assign only
a set of specific nodes that would be your proxy. So, if you had a
keycloak cluster of 4 nodes, 2 nodes could be designated solely as proxy
nodes, the other 2 for normal SSO.
On 8/15/16 7:44 AM, Stian Thorgersen wrote:
I'm not convinced about this. A lot of complexity for what seems
like
little benefit. The improvement of not having to do OIDC would
probably end up being outweighed by all requests going through
Keycloak rather than a separate proxy.
On 9 August 2016 at 11:06, Thomas Darimont
<thomas.darimont(a)googlemail.com
<mailto:thomas.darimont@googlemail.com>> wrote:
FYI, I sent some questions to the undertow dev-mailing list
regarding dynamic vhost configuration:
http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
<http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html>
Cheers,
Thomas
2016-08-05 21:26 GMT+02:00 Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>>:
Yeah, on the Client creation page, instead of oidc or saml,
you can pick "proxied". You would specify the URL pattern of
incoming requests and the URL pattern to forward HTTP requests
and bam, it just works. Set up some virtual host table on
demand with Undertow.
On 8/5/16 11:36 AM, Thomas Darimont wrote:
> Sounds interesting...
>
> could you provide a bit more detail about what you have in mind?
>
> Cheers,
> Thomas
>
> 2016-08-05 16:38 GMT+02:00 Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>>:
>
> Bump.
>
> I'm going to keep bumping this occasionally to see if
> somebody in the
> community wants to take this on.
>
>
> On 8/4/16 8:30 PM, Bill Burke wrote:
> > I think we should combine Keycloak Proxy with the
> keycloak server. When
> > creating a client, you would have an option to declare
> it as a proxied
> > client. This is way better than what we currently have
> as we woudln't
> > have to do SAML or OIDC so it would be more performant
> and it would
> > require no additional setup.
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
9:04 a.m.
Don't you think that all that is pretty much related with turning Keycloak as a Web
Application Firewall (WAF) ? Now that we also have authz services in, we can do a lot of
things at this regard.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: stian(a)redhat.com, "Thomas Darimont" <thomas.darimont(a)googlemail.com>
Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
Sent: Monday, August 15, 2016 10:38:00 AM
Subject: Re: [keycloak-dev] combine proxy and keycloak server
You should rethink your position, IMO. Its actually a huge benefit in both usability and
performance.
Usability in that you don't have to configure and run a completely different
program/process that is configured completely different than Keycloak. You can configure
and manage all clients in one place. Performance is that you get rid of all the redirects
that happen with SAML and OIDC. FOr your performance concern, you would just assign only a
set of specific nodes that would be your proxy. So, if you had a keycloak cluster of 4
nodes, 2 nodes could be designated solely as proxy nodes, the other 2 for normal SSO.
On 8/15/16 7:44 AM, Stian Thorgersen wrote:
I'm not convinced about this. A lot of complexity for what seems like little benefit.
The improvement of not having to do OIDC would probably end up being outweighed by all
requests going through Keycloak rather than a separate proxy.
On 9 August 2016 at 11:06, Thomas Darimont < thomas.darimont(a)googlemail.com > wrote:
FYI, I sent some questions to the undertow dev-mailing list regarding dynamic vhost
configuration:
http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
Cheers,
Thomas
2016-08-05 21:26 GMT+02:00 Bill Burke < bburke(a)redhat.com > :
Yeah, on the Client creation page, instead of oidc or saml, you can pick
"proxied". You would specify the URL pattern of incoming requests and the URL
pattern to forward HTTP requests and bam, it just works. Set up some virtual host table on
demand with Undertow.
On 8/5/16 11:36 AM, Thomas Darimont wrote:
Sounds interesting...
could you provide a bit more detail about what you have in mind?
Cheers,
Thomas
2016-08-05 16:38 GMT+02:00 Bill Burke < bburke(a)redhat.com > :
Bump.
I'm going to keep bumping this occasionally to see if somebody in the
community wants to take this on.
On 8/4/16 8:30 PM, Bill Burke wrote:
I think we should combine Keycloak Proxy with the keycloak server.
When
creating a client, you would have an option to declare it as a proxied
client. This is way better than what we currently have as we woudln't
have to do SAML or OIDC so it would be more performant and it would
require no additional setup.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:09 a.m.
Yes. There will be a lot of stuff we can do.
On 8/15/16 10:04 AM, Pedro Igor Silva wrote:
Don't you think that all that is pretty much related with turning
Keycloak as a Web Application Firewall (WAF) ? Now that we also have authz services in, we
can do a lot of things at this regard.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: stian(a)redhat.com, "Thomas Darimont" <thomas.darimont(a)googlemail.com>
Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
Sent: Monday, August 15, 2016 10:38:00 AM
Subject: Re: [keycloak-dev] combine proxy and keycloak server
You should rethink your position, IMO. Its actually a huge benefit in both usability and
performance.
Usability in that you don't have to configure and run a completely different
program/process that is configured completely different than Keycloak. You can configure
and manage all clients in one place. Performance is that you get rid of all the redirects
that happen with SAML and OIDC. FOr your performance concern, you would just assign only a
set of specific nodes that would be your proxy. So, if you had a keycloak cluster of 4
nodes, 2 nodes could be designated solely as proxy nodes, the other 2 for normal SSO.
On 8/15/16 7:44 AM, Stian Thorgersen wrote:
I'm not convinced about this. A lot of complexity for what seems like little benefit.
The improvement of not having to do OIDC would probably end up being outweighed by all
requests going through Keycloak rather than a separate proxy.
On 9 August 2016 at 11:06, Thomas Darimont < thomas.darimont(a)googlemail.com >
wrote:
FYI, I sent some questions to the undertow dev-mailing list regarding dynamic vhost
configuration:
http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
Cheers,
Thomas
2016-08-05 21:26 GMT+02:00 Bill Burke < bburke(a)redhat.com > :
Yeah, on the Client creation page, instead of oidc or saml, you can pick
"proxied". You would specify the URL pattern of incoming requests and the URL
pattern to forward HTTP requests and bam, it just works. Set up some virtual host table on
demand with Undertow.
On 8/5/16 11:36 AM, Thomas Darimont wrote:
Sounds interesting...
could you provide a bit more detail about what you have in mind?
Cheers,
Thomas
2016-08-05 16:38 GMT+02:00 Bill Burke < bburke(a)redhat.com > :
Bump.
I'm going to keep bumping this occasionally to see if somebody in the
community wants to take this on.
On 8/4/16 8:30 PM, Bill Burke wrote:
> I think we should combine Keycloak Proxy with the keycloak server. When
> creating a client, you would have an option to declare it as a proxied
> client. This is way better than what we currently have as we woudln't
> have to do SAML or OIDC so it would be more performant and it would
> require no additional setup.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:10 a.m.
You'll end up with another "protocol" to do this, which is additional
maintenance and testing and more importantly a new potential vector for
vulnerabilities. Not great IMO.
What you are describing around having dedicated nodes for the proxy
operations just sounds more complex than having completely separate servers
completely. For high performance I'd imagine the proxy would end up with
having quite different needs for configuration than the Keycloak server as
well.
There's also plenty of options around proxies (Apache, nginx, APIMan,
3scale, etc.). I'm not convinced we should even have our own. Sounds like
APIMan might actually survive and end up being supported in some form, so
that may still be a better option to us rolling our own proxy/gateway.
On 15 August 2016 at 15:38, Bill Burke <bburke(a)redhat.com> wrote:
You should rethink your position, IMO. Its actually a huge benefit
in
both usability and performance.
Usability in that you don't have to configure and run a completely
different program/process that is configured completely different than
Keycloak. You can configure and manage all clients in one place.
Performance is that you get rid of all the redirects that happen with SAML
and OIDC. FOr your performance concern, you would just assign only a set
of specific nodes that would be your proxy. So, if you had a keycloak
cluster of 4 nodes, 2 nodes could be designated solely as proxy nodes, the
other 2 for normal SSO.
On 8/15/16 7:44 AM, Stian Thorgersen wrote:
I'm not convinced about this. A lot of complexity for what seems like
little benefit. The improvement of not having to do OIDC would probably end
up being outweighed by all requests going through Keycloak rather than a
separate proxy.
On 9 August 2016 at 11:06, Thomas Darimont <thomas.darimont(a)googlemail.com
> wrote:
> FYI, I sent some questions to the undertow dev-mailing list regarding
> dynamic vhost configuration:
> http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
>
> Cheers,
> Thomas
>
> 2016-08-05 21:26 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
>
>> Yeah, on the Client creation page, instead of oidc or saml, you can pick
>> "proxied". You would specify the URL pattern of incoming requests and
the
>> URL pattern to forward HTTP requests and bam, it just works. Set up some
>> virtual host table on demand with Undertow.
>>
>> On 8/5/16 11:36 AM, Thomas Darimont wrote:
>>
>> Sounds interesting...
>>
>> could you provide a bit more detail about what you have in mind?
>>
>> Cheers,
>> Thomas
>>
>> 2016-08-05 16:38 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
>>
>>> Bump.
>>>
>>> I'm going to keep bumping this occasionally to see if somebody in the
>>> community wants to take this on.
>>>
>>>
>>> On 8/4/16 8:30 PM, Bill Burke wrote:
>>> > I think we should combine Keycloak Proxy with the keycloak server.
>>> When
>>> > creating a client, you would have an option to declare it as a proxied
>>> > client. This is way better than what we currently have as we
woudln't
>>> > have to do SAML or OIDC so it would be more performant and it would
>>> > require no additional setup.
>>> >
>>> > _______________________________________________
>>> > keycloak-dev mailing list
>>> > keycloak-dev(a)lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
3:43 p.m.
On 8/16/16 3:10 AM, Stian Thorgersen wrote:
You'll end up with another "protocol" to do this, which
is additional
maintenance and testing and more importantly a new potential vector
for vulnerabilities. Not great IMO.
Protocol? You mean like AJP? BTW, making an argument not to have a
feature because of maintenance and testing is a really lame reason.
Anybody can basically just use that argument for anything they don't like.
What you are describing around having dedicated nodes for the proxy
operations just sounds more complex than having completely separate
servers completely. For high performance I'd imagine the proxy would
end up with having quite different needs for configuration than the
Keycloak server as well.
Not really. You just specify a DNS entry that points to one of your
Keycloak nodes that is designated as the proxy. You ahve to do that
anyways.
As far as config goes, if the proxy needs to be configured differently,
we just provide an extra domain.xml profile like we do for the example
load-balancer that is described in the docs.
There's also plenty of options around proxies (Apache, nginx,
APIMan,
3scale, etc.). I'm not convinced we should even have our own. Sounds
like APIMan might actually survive and end up being supported in some
form, so that may still be a better option to us rolling our own
proxy/gateway.
Disagree 100%. Right now without a supported proxy we have zero control
over how other languages and environments integrate with Keycloak
(except Java). We're at the mercy of mod-auth-mellon and
mod-auth-openidc the latter of which isn't even maintained by RHT. Both
of which we do not have any in house knowledge to make extensions to.
The potential to simplify and unify setup and configuration and
management is just too huge here to ignore.
But, we're arguing over something that nobody has time to work on anyways :)
Bill
5:19 p.m.
On 08/16/2016 04:43 PM, Bill Burke wrote:
> There's also plenty of options around proxies (Apache, nginx,
APIMan,
> 3scale, etc.). I'm not convinced we should even have our own. Sounds
> like APIMan might actually survive and end up being supported in some
> form, so that may still be a better option to us rolling our own
> proxy/gateway.
>
Disagree 100%. Right now without a supported proxy we have zero control
over how other languages and environments integrate with Keycloak
(except Java). We're at the mercy of mod-auth-mellon and
mod-auth-openidc the latter of which isn't even maintained by RHT. Both
of which we do not have any in house knowledge to make extensions to.
The potential to simplify and unify setup and configuration and
management is just too huge here to ignore.
Correction, Red Hat does support mod_auth_openidc and we do have
in-house expertise to modify and extend these packages. In fact we're
already made significant contributions to mod_auth_mellon and the lasso
SAML library it utilizes.
The platform group has deployed Keycloak behind both the Apache and
HAproxy proxies and has (started) documenting the process. We also are
in the process of writing Ansible and Puppet configuration modules to
help deploy Keycloak, I believe in all these scenarios Keycloak is
behind a proxy.
I wish our two groups had better awareness of each other.
--
John
10:03 p.m.
On 8/16/16 6:19 PM, John Dennis wrote:
On 08/16/2016 04:43 PM, Bill Burke wrote:
>> There's also plenty of options around proxies (Apache, nginx, APIMan,
>> 3scale, etc.). I'm not convinced we should even have our own. Sounds
>> like APIMan might actually survive and end up being supported in some
>> form, so that may still be a better option to us rolling our own
>> proxy/gateway.
>>
> Disagree 100%. Right now without a supported proxy we have zero control
> over how other languages and environments integrate with Keycloak
> (except Java). We're at the mercy of mod-auth-mellon and
> mod-auth-openidc the latter of which isn't even maintained by RHT. Both
> of which we do not have any in house knowledge to make extensions to.
> The potential to simplify and unify setup and configuration and
> management is just too huge here to ignore.
Correction, Red Hat does support mod_auth_openidc and we do have
in-house expertise to modify and extend these packages. In fact we're
already made significant contributions to mod_auth_mellon and the
lasso SAML library it utilizes.
The platform group has deployed Keycloak behind both the Apache and
HAproxy proxies and has (started) documenting the process. We also are in
Could
you share these docs with us..create better awareness between the
two groups, because we already had to document that process from the
keycloak end and we're missing the apache end of things:
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
the process of writing Ansible and Puppet configuration modules to
help deploy Keycloak, I believe in all these scenarios Keycloak is
behind a proxy.
I wish our two groups had better awareness of each other.
By in-house knowledge, I mean a member of this team that reports to
Bolek. Right now we're stuck with vanilla SAML and OIDC and however
these mod-auth plugins implement those specs. Are you willing to
maintain a fork of these mods with keycloak-specific extensions? For
example we're writing an extension to our Java OIDC adapters so that we
can have sticky sessions for both the browser redirects and out-of-band
code to token requests so we can avoid unnecessary DB hits. I know you
guys support mod-auth-mellon, but mod-auth-openidc is managed and run by
a commercial competitor: ping identity, which, by itself sucks from a
perception perspective.
But we're diverging into arguments that were not the focus of the
original post. My main focus to reduce the number of things you have
to install and configure, make configuration and management consistent,
reduce the number of steps to secure an app, and finally reduce the
number of network hops for a login. Make security easier and faster for
developers which is why Stian and I started the project in the first place.
2:08 a.m.
On 16 August 2016 at 22:43, Bill Burke <bburke(a)redhat.com> wrote:
On 8/16/16 3:10 AM, Stian Thorgersen wrote:
You'll end up with another "protocol" to do this, which is additional
maintenance and testing and more importantly a new potential vector for
vulnerabilities. Not great IMO.
Protocol? You mean like AJP? BTW, making an argument not to have a
feature because of maintenance and testing is a really lame reason. Anybody
can basically just use that argument for anything they don't like.
I thought you where stating it shouldn't use OIDC or SAML. So it'll need to
be something else right? IMO we should leverage OIDC and SAML and not come
up with yet another way to do the same thing.
I'm sorry, but it's not a lame reason at all to argue the time and
complexity of implementing and maintaining something. That should always be
taken into consideration. Just for argument sake if it took 5 man-years to
implement, test and maintain what you are proposing (I'm not saying that it
will, but I'm exaggerating to prove a point) and it exposed us to thousands
of vulnerabilities (again, I'm exaggerating) would that not be a good
enough reason not to do it?
What you are describing around having dedicated nodes for the proxy
operations just sounds more complex than having completely separate servers
completely. For high performance I'd imagine the proxy would end up with
having quite different needs for configuration than the Keycloak server as
well.
Not really. You just specify a DNS entry that points to one of your
Keycloak nodes that is designated as the proxy. You ahve to do that
anyways.
As far as config goes, if the proxy needs to be configured
differently, we
just provide an extra domain.xml profile like we do for the example
load-balancer that is described in the docs.
So you have one group of Keycloak servers acting as a proxy with some
special config, then another group of Keycloak servers acting as regular KC
servers with yet another config. Then you have different DNS settings
depending on what app it is. Etc. etc.. How is that simpler than just using
the Keycloak proxy we have today with a separate KC server?
A lot of tweaking goes into creating a proxy that works fast and with the
minimum latency. Just talk to the APIMan guys. I believe they have much
better performance on Vert.x than they have on Undertow as well.
There's also plenty of options around proxies (Apache, nginx, APIMan,
3scale, etc.). I'm not convinced we should even have our own. Sounds like
APIMan might actually survive and end up being supported in some form, so
that may still be a better option to us rolling our own proxy/gateway.
Disagree 100%. Right now without a supported proxy we have zero control
over how other languages and environments integrate with Keycloak (except
Java). We're at the mercy of mod-auth-mellon and mod-auth-openidc the
latter of which isn't even maintained by RHT. Both of which we do not have
any in house knowledge to make extensions to. The potential to simplify
and unify setup and configuration and management is just too huge here to
ignore.
Apache and nginx as proxies are what folks use and already have in place.
Having yet another proxy in the mix doesn't really simplify things IMO. An
alternative to making life easier would be to make it easier to use Apache
and nginx rather than reinvent the wheel and create our own.
But, we're arguing over something that nobody has time to work on anyways
:)
Arguing (or discussing...) might end up in it becoming a high priority in
which case we would find someone ;)
Bill
3:53 p.m.
There's also plenty of options around proxies (Apache, nginx, APIMan,
3scale, etc.). I'm not convinced we should even have our own. Sounds like
APIMan might actually survive and end up being supported in some form, so
that may still be a better option to us rolling our own proxy/gateway.
For what its worth, OpenUnison could play this role with KC where
OpenUnison does the integration with with applications and KC via OIDC
or SAML2 (I'm working on a POC right now using KC for authentication,
MyVirtualDirectory for multi directory access and OpenUnison/ScaleJS
for provisioning/Reverse Proxy) with Kubernetes and its working great.
We already have a powerful LastMile system for application integration
that lets us integrate with J2EE, LAMP and .NET applications. The
integration between OpenUnison and KC took me about 5 minutes. We
have source2image that makes the deployment even easier.
-
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
4:07 p.m.
One of the main reasons for this whole email thread was to provide a way
to reduce the number of moving parts that need to be installed and
configured. And reduce the number of steps it takes to secure an
application. Integration with other things is interesting, but not the
goal of what I'm proposing.
On 8/16/16 4:53 PM, Marc Boorshtein wrote:
> There's also plenty of options around proxies (Apache, nginx,
APIMan,
> 3scale, etc.). I'm not convinced we should even have our own. Sounds like
> APIMan might actually survive and end up being supported in some form, so
> that may still be a better option to us rolling our own proxy/gateway.
>
For what its worth, OpenUnison could play this role with KC where
OpenUnison does the integration with with applications and KC via OIDC
or SAML2 (I'm working on a POC right now using KC for authentication,
MyVirtualDirectory for multi directory access and OpenUnison/ScaleJS
for provisioning/Reverse Proxy) with Kubernetes and its working great.
We already have a powerful LastMile system for application integration
that lets us integrate with J2EE, LAMP and .NET applications. The
integration between OpenUnison and KC took me about 5 minutes. We
have source2image that makes the deployment even easier.
-
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
4:12 p.m.
While I can appreciate that logic, OU is a solution that is live and works,
open source and is actively being developed. Just food for thought instead
of developing a new solution.
Thanks
Marc
On Tuesday, August 16, 2016, Bill Burke <bburke(a)redhat.com> wrote:
One of the main reasons for this whole email thread was to provide a
way
to reduce the number of moving parts that need to be installed and
configured. And reduce the number of steps it takes to secure an
application. Integration with other things is interesting, but not the
goal of what I'm proposing.
--
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity
3141
days inactive
3153
days old
16 comments
6 participants
participants (6)
-
Bill Burke -
John Dennis -
Marc Boorshtein -
Pedro Igor Silva -
Stian Thorgersen -
Thomas Darimont