9:08 a.m.
Currently we allow adapters to configure two urls for Keycloak
(auth-server-url and auth-server-url-for-backend-requests). I propose we
remove auth-server-url-for-backend-requests.
The auth-server-url-for-backend-requests property was added as a way for
adapters to invoke Keycloak directly without having to go through a load
balancer or reverse proxy.
The issue with auth-server-url-for-backend-requests is that the Keycloak
server will not know the adapter is invoking Keycloak from a different URL,
which results in invalid URLs in tokens and also if any links are generated
(for example verify email).
It also means that there's a need to have two separate certificates
configured for Keycloak as there are different hostnames.
The currently proposed solution is to add a way to configure the hostname
for the Keycloak server. However, this is an extra configuration
requirement and is also a significant amount of work to implement as well
as potentially quite error prone. This could further be problematic if
there is indeed two valid URLs for a server (for example http://company.com
and http://internal.company.com).
We should simply remove auth-server-url-for-backend-requests. If anyone
wants to bypass the load balancer for internal machines that should be
solved at the DNS level or by adding entries to the host file. As the
hostname remains the same there's no need for multiple certificates, nor is
there a need to hardcode the address on the Keycloak server itself.
9:43 a.m.
+1 to remove it.
We can always re-add or add something different if people start to
complain ;-)
I guess that earlier or later, we may still need a possibility to
configure hostname for keycloak server. I think that there were people
with funky deployments having issues even if they don't use
auth-server-url-for-backend-requests. Other possibility instead of
introduce hostname might be to introduce list of valid URLs on adapter
side, which are acceptable as issuers of access token. But who knows,
maybe everyone can somehow fix his deployment and we won't need anything
:-)
Marek
On 08/03/16 09:08, Stian Thorgersen wrote:
Currently we allow adapters to configure two urls for Keycloak
(auth-server-url and auth-server-url-for-backend-requests). I propose
we remove auth-server-url-for-backend-requests.
The auth-server-url-for-backend-requests property was added as a way
for adapters to invoke Keycloak directly without having to go through
a load balancer or reverse proxy.
The issue with auth-server-url-for-backend-requests is that the
Keycloak server will not know the adapter is invoking Keycloak from a
different URL, which results in invalid URLs in tokens and also if any
links are generated (for example verify email).
It also means that there's a need to have two separate certificates
configured for Keycloak as there are different hostnames.
The currently proposed solution is to add a way to configure the
hostname for the Keycloak server. However, this is an extra
configuration requirement and is also a significant amount of work to
implement as well as potentially quite error prone. This could further
be problematic if there is indeed two valid URLs for a server (for
example http://company.com and http://internal.company.com).
We should simply remove auth-server-url-for-backend-requests. If
anyone wants to bypass the load balancer for internal machines that
should be solved at the DNS level or by adding entries to the host
file. As the hostname remains the same there's no need for multiple
certificates, nor is there a need to hardcode the address on the
Keycloak server itself.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:50 a.m.
On 8 March 2016 at 09:43, Marek Posolda <mposolda(a)redhat.com> wrote:
+1 to remove it.
We can always re-add or add something different if people start to
complain ;-)
I guess that earlier or later, we may still need a possibility to
configure hostname for keycloak server. I think that there were people with
funky deployments having issues even if they don't use
auth-server-url-for-backend-requests. Other possibility instead of
introduce hostname might be to introduce list of valid URLs on adapter
side, which are acceptable as issuers of access token. But who knows, maybe
everyone can somehow fix his deployment and we won't need anything :-)
I don't think we'll need it, nor do I think we need a list of valid URLs on
adapter side. It's a slippery slope to do that, both in terms of usability
and security. Token should be issued by a specific Keycloak server (and
hostname is important here) and a token issued by one Keycloak server with
one hostname is not equivalent of a token issued by another server.
If someone can't configure DNS or hostnames they'll just have to invoke it
through the reverse proxy or load balancer. In fact in a cluster you most
likely will have to go through the load balancer in either case.
Marek
On 08/03/16 09:08, Stian Thorgersen wrote:
Currently we allow adapters to configure two urls for Keycloak
(auth-server-url and auth-server-url-for-backend-requests). I propose we
remove auth-server-url-for-backend-requests.
The auth-server-url-for-backend-requests property was added as a way for
adapters to invoke Keycloak directly without having to go through a load
balancer or reverse proxy.
The issue with auth-server-url-for-backend-requests is that the Keycloak
server will not know the adapter is invoking Keycloak from a different URL,
which results in invalid URLs in tokens and also if any links are generated
(for example verify email).
It also means that there's a need to have two separate certificates
configured for Keycloak as there are different hostnames.
The currently proposed solution is to add a way to configure the hostname
for the Keycloak server. However, this is an extra configuration
requirement and is also a significant amount of work to implement as well
as potentially quite error prone. This could further be problematic if
there is indeed two valid URLs for a server (for example
<http://company.com>http://company.com and http://internal.company.com).
We should simply remove auth-server-url-for-backend-requests. If anyone
wants to bypass the load balancer for internal machines that should be
solved at the DNS level or by adding entries to the host file. As the
hostname remains the same there's no need for multiple certificates, nor is
there a need to hardcode the address on the Keycloak server itself.
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
2977
days inactive
2977
days old
2 comments
2 participants
participants (2)
-
Marek Posolda -
Stian Thorgersen