7:42 a.m.
Here is the discussion on why "auth-server-url-for-backend-requests" was
removed :
http://lists.jboss.org/pipermail/keycloak-dev/2016-March/006783.html
Can't you use a Reverse Proxy ? TBH I don't master enough this subject and
would liek to hear the opinions from the community on this subject.
On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino <salaboy(a)gmail.com>
wrote:
Because I failed to mention that I'm using the Spring Boot
Adapter, I'm
wondering now if we need something like this:
"auth-server-url-for-backend-requests"
->
https://github.com/keycloak/keycloak/search?utf8=✓&q=auth-
server-url-for-backend-requests&type=
Or if it was deprecated or not recommeneded to use.
On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino <salaboy(a)gmail.com>
wrote:
> Hi everyone,
> We using Keycloak behind a gateway (Zuul) and we are having issues with
> keycloak adapters not being able to validate the JWT token issued on
behalf
> of an external client. Our Gateway is forwarding all the X-FORWARDED-*
> headers correctly so the token is issued correctly but the problem is
that
> our adapters (in our services) contains the following configuration:
>
> keycloak.auth-server-url=*<local ip of keycloak server>:<port>/auth*
>
> Now the problem that we are facing is that the token will not be able to
> be validated by the adapter, because it was issued for the external IP
and
> the adapter is pointing to the local ip, so the token validation fails.
>
> I've seen several threads and jira issues about this problem without a
> clear solution and it sounds like the adapter's code can be easily
extended
> to support this scenario. Now the question is where that information
should
> live:
> 1) It can be set to the realm configuration so the adapter picks that up
> on start up and then use that information for the token validation
> 2) I can be picked up by the service that is getting the external IP in
> the X-FORWARDED-* headers (this might cause a security issue ??? )
>
> We can provide the code for the solution but before start coding we want
> to know what are your opinions on the matter and if this have been solved
> before.
>
> Cheers
>
> Mauricio
>
>
> --
> - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
> - Co-Founder @ http://www.jugargentina.org
> - Co-Founder @ http://www.jbug.com.ar
>
> - Salatino "Salaboy" Mauricio -
>
--
- MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
- Co-Founder @ http://www.jugargentina.org
- Co-Founder @ http://www.jbug.com.ar
- Salatino "Salaboy" Mauricio -
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user