3:32 p.m.
The proxy configuration includes all the adapter configuration etc except that in or case
the key cloak login page isn't displayed and the client is redirected through both
proxies direct to the app without having to authenticate. Something fundamental is a bit
skew whiff, trouble is I can't see any output from the key cloak proxy to
troubleshoot.
On 13 May 2016 19:58:47 BST, Bill Burke <bburke(a)redhat.com> wrote:
The idea of the proxy is that the secured app doesn't have to have
a
plugin. The secured app is supposed to be on a private network and the
proxy sits on a public one.
On 5/13/16 11:52 AM, Jason Axley wrote:
> From my read of the design, it doesn’t look like the proxy design
provides a secure way of front-ending an application that won’t allow
someone with network access behind the proxy to access the application
either without authentication or by impersonating any user since the
design appears to rely on HTTP headers set with identity information
sent to the backend application.
>
> A better design would have been to pass the actual Id Token to the
backend application so that the backend application can actually verify
the identity signature on the JWT so that someone can’t just fabricate
arbitrary identity information. I would think this could work in
concert with an application plugin that could consume these tokens and
validate and make the identity information available to the application
in a trustworthy manner.
>
> -Jason
>
> On 5/13/16, 8:00 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf
of Guy Bowdler" <keycloak-user-bounces(a)lists.jboss.org on behalf of
guybowdler(a)dorsetnetworks.com> wrote:
>
>> Hi,
>>
>> We've got the Keycloak Security Proxy (official one -
>>
https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html)
>> running and passing to an nginx proxy which is in turn proxying out
>> different apps, ie:
>>
>> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse
Proxy]
>> ------> [application]
>>
>> Where [] denotes a different box, the ProxyBox is hostname.domain
and
>> the apps are published as hostname.domain/appname
>>
>>
>> However, the client is able to access the application without
>> authentication, we have clients and roles set up in keycloak and the
>> config looks ok (although obviously isn't!)
>>
>> Are there any KeyCloak Proxy logs we can look at, or debugging
options?
>> I haven't found any as yet andnothing is jumping out of the config.
>>
>> We can access the back end apps ok either from the Keycloak proxy
>> running on ports 80 or 443 or via the nginx proxy on 8080 (and yes,
this
>> latter connection will be restricted to localhost when it's
working!).
>> The keycloak proxy config is very similar to the default except the
>> values from the keycloak installation GUI have been pasted in.
>>
>> Any troubleshooting tips would be much appreciated!
>>
>> thanks in advance:)
>>
>> Guy
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.