Thanks for your reply Chris,

Good point about the constraints I'll check tomorrow, must admit I'd forgotten all about them, just assumed you'd have to login regardless.

So from what you say, there is no currently supported way of getting key cloak to authenticate direct from the proxy. Is this correct?

Kind regards

Guy


On 15 May 2016 15:39:59 BST, Chris Pitman <cpitman@redhat.com> wrote:
I'm using the proxy in one of my environments and it definitely is requiring authentication. The logs are pretty poor, so debugging is a pain.

Two possibilities come to mind:

First, are you sure you haven't already authenticated? If you look at the network activity in your browser, are you redirected to keycloak then directed back to your app?

Second, have you set constraints in the proxy config? Do those constraints (starting at your configured base path) match the urls you are trying to hit?

Bill: As far as I am aware, neither of those httpd modules are supported by us either. A supported option for getting SSO in front of legacy apps is step 1 of getting in the door at clients. If we do end up telling customers to use an apache module, adding generated config for them to the web ui would really help.

Chris Pitman
Senior Architect, Red Hat Consulting

----- Original Message -----
 
 
 FYI I haven't touched this code in more than a year and have been relying on
 the community to maintain it. Why? Well, we're not supporting it in product
 and Apache plugins like mod-auth-mellon and mod-auth-oidc exist. We're also
 talking to other teams like API Man to see if we can offload the proxy on
 them. Anyways, sounds like lame excuses...I know you just want answers...
 
 On 5/13/16 4:33 PM, Guy Bowdler wrote:
 
 
 Also, you just need to configure and back end proxy only to accept
 connections from the key cloak proxy to secure, we've just left it open for
 now to troubleshoot
 
 On 13 May 2016 19:58:47 BST, Bill Burke <bburke@redhat.com> wrote:
 
 
 The idea of the proxy is that the secured app doesn't have to have a
 plugin.  The secured app is
supposed to be on a private network and the
 proxy sits on a public one.
 
 
 On 5/13/16 11:52 AM, Jason Axley wrote:
 
 From my read of the design, it doesn’t look like the proxy design provides a
 secure way of front-ending an application that won’t allow someone with
 network access behind the proxy to access the application either without
 authentication or by impersonating any user since the design appears to rely
 on HTTP headers set with identity information sent to the backend
 application.
 
  A better design would have been to pass the actual Id Token to the backend
  application so that the backend application can actually verify the
  identity signature on the JWT so that someone can’t just fabricate
 arbitrary identity information.  I would think this could work in concert
 with an application plugin that could consume these tokens and validate and
 make the identity
information available to the application in a trustworthy
 manner.
 
  -Jason
 
  On 5/13/16, 8:00 AM, "keycloak-user-bounces@lists.jboss.org on behalf of Guy
  Bowdler" <keycloak-user-bounces@lists.jboss.org on behalf of
  guybowdler@dorsetnetworks.com> wrote:
 
 Hi,
 
  We've got the Keycloak Security Proxy (official one -
  https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html )
  running and passing to an nginx proxy which is in turn proxying out
  different apps, ie:
 
  [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx
 Reverse Proxy]
  ------> [application]
 
  Where [] denotes a different box, the ProxyBox is hostname.domain and
  the apps are published as hostname.domain/appname
 
 
  However, the client is able to access the
application without
  authentication, we have clients and roles set up in keycloak and the
  config looks ok (although obviously isn't!)
 
  Are there any KeyCloak Proxy logs we can look at, or debugging options?
  I haven't found any as yet andnothing is jumping out of the config.
 
  We can access the back end apps ok either from the Keycloak proxy
  running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this
  latter connection will be restricted to localhost when it's working!).
  The keycloak proxy config is very similar to the default except the
  values from the keycloak installation GUI have been pasted in.
 
  Any troubleshooting tips would be much appreciated! thanks in advance:)
 
  Guy
 keycloak-user mailing list keycloak-user@lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user

keycloak-user mailing list keycloak-user@lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user
 keycloak-user mailing list keycloak-user@lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user
 -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
 

 keycloak-user mailing list
 keycloak-user@lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.