7:08 a.m.
We have an idea to isolate our application in our internal network so that
all communication in that network can go by HTTP.
So we've set up a public nginx server, witch is responsible for
establishing https connections.
Public nginx server forwards requests to another nginx server in secured
internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
But this configuration is not working because of invalid redirect issue.
In our client's json file we have to define auth-server-url with HTTPS
scheme. When we try to specify HTTP Keycloak no longer works.
So my question: is it possible to make things work by HTTP in internal
private network and HTTPS only remain for public access.
Any guidance will be appreciated.
8:04 a.m.
We use this setup and it works fine.
BigIP load balancer in front with HTTPS termination. Behind that, a nginx
server acts as a proxy in front of a docker container running Keycloak.
What do you mean by "But this configuration is not working because of
invalid redirect issue."?
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
fre. 25. nov. 2016 kl. 14.10 skrev Andrey Saroul <andrey.saroul(a)gmail.com>:
We have an idea to isolate our application in our internal network so
that
all communication in that network can go by HTTP.
So we've set up a public nginx server, witch is responsible for
establishing https connections.
Public nginx server forwards requests to another nginx server in secured
internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
But this configuration is not working because of invalid redirect issue.
In our client's json file we have to define auth-server-url with HTTPS
scheme. When we try to specify HTTP Keycloak no longer works.
So my question: is it possible to make things work by HTTP in internal
private network and HTTPS only remain for public access.
Any guidance will be appreciated.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Pål Oliver Kristiansen
Cornix Consulting
92 22 60 41
10:33 a.m.
Hi Andrew,
The answer is "it depends". When generating tokens or metadata,
Keycloak uses the scheme://hostname:port/ that was used to access it to
fill the different issuers/URLs. The same values must match in the client
JSON file so the client can validate the source of the token.
At the client level, this could be handled by having a custom translation
step over the configuration that accept both schemes and match it to the
issuer, not something that Keycloak seems to support natively last time I
checked.
Doing SSO through multiple aliases always has this sort of issues. This is
usually something that should be avoided. Can you keep Keycloak HTTPs and
your application HTTP in your internal network?
Gabriel
2016-11-25 8:08 GMT-05:00 Andrey Saroul <andrey.saroul(a)gmail.com>:
We have an idea to isolate our application in our internal network so
that
all communication in that network can go by HTTP.
So we've set up a public nginx server, witch is responsible for
establishing https connections.
Public nginx server forwards requests to another nginx server in secured
internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
But this configuration is not working because of invalid redirect issue.
In our client's json file we have to define auth-server-url with HTTPS
scheme. When we try to specify HTTP Keycloak no longer works.
So my question: is it possible to make things work by HTTP in internal
private network and HTTPS only remain for public access.
Any guidance will be appreciated.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Gabriel Lavoie
glavoie(a)gmail.com
2:57 a.m.
New subject: Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP)
Dear Keycloak people,
Please find below the suggestion that will allow easiest integration of Keycloak behind
HTTPS reverse proxy.
I suggest to add to the Keycloak configuration the new property - the client URL.
Then, the Keycloak will use the property when generating tokens or metadata (instead of to
rely on incoming HTTP request).
This will allow to use Keycloak over HTTP and to use SSL only in reverse proxy.
Additional suggestion will allow to configure Keycloak to work behind Reverse Proxy with
Network Address Translation (NAT) (I have asked the question here
http://lists.jboss.org/pipermail/keycloak-user/2016-November/008454.html).
I suggest to add to the Keycloak configuration the additional new property - the internal
client URL.
Then Keycloak will use the property in org.keycloak.protocol.oidc.OIDCWellKnownProvider
and will create the well-known configuration with internal and external IPs.
Clients will use the well-known configuration and will be able to connect to Keycloak
without any problems.
What do you say about the suggestions?
If you think it is good I will happy to implement and test it during our integration with
Keycloak.
Best regards,
Michael
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Gabriel Lavoie <glavoie(a)gmail.com Sent:
Wednesday, November 30, 2016 6:33 PM
To: Andrey Saroul
Cc: keycloak-user
Subject: Re: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP)
Hi Andrew,
The answer is "it depends". When generating tokens or metadata,
Keycloak uses the scheme://hostname:port/ that was used to access it to
fill the different issuers/URLs. The same values must match in the client
JSON file so the client can validate the source of the token.
At the client level, this could be handled by having a custom translation
step over the configuration that accept both schemes and match it to the
issuer, not something that Keycloak seems to support natively last time I
checked.
Doing SSO through multiple aliases always has this sort of issues. This is
usually something that should be avoided. Can you keep Keycloak HTTPs and
your application HTTP in your internal network?
Gabriel
2016-11-25 8:08 GMT-05:00 Andrey Saroul <andrey.saroul(a)gmail.com>:
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives.
Using keycloak-user: To post a message to all the list members ...
--
Gabriel Lavoie
glavoie(a)gmail.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss
Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives.
Using keycloak-user: To post a message to all the list members ...
We have an idea to isolate our application in our internal network so
that
all communication in that network can go by HTTP.
So we've set up a public nginx server, witch is responsible for
establishing https connections.
Public nginx server forwards requests to another nginx server in secured
internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
But this configuration is not working because of invalid redirect issue.
In our client's json file we have to define auth-server-url with HTTPS
scheme. When we try to specify HTTP Keycloak no longer works.
So my question: is it possible to make things work by HTTP in internal
private network and HTTPS only remain for public access.
Any guidance will be appreciated.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page -
JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user
3:14 a.m.
That's exact feature which I've been looking for.
That will solve our problem with reverse proxy.
I defenetly vote for this feature to be implemented!
2016-12-05 11:57 GMT+03:00 Michael Furman <michael_furman(a)hotmail.com>:
Dear Keycloak people,
Please find below the suggestion that will allow easiest integration of
Keycloak behind HTTPS reverse proxy.
I suggest to add to the Keycloak configuration the new property – the
client URL.
Then, the Keycloak will use the property when generating tokens or
metadata (instead of to rely on incoming HTTP request).
This will allow to use Keycloak over HTTP and to use SSL only in reverse
proxy.
Additional suggestion will allow to configure Keycloak to work behind
Reverse Proxy with Network Address Translation (NAT) (I have asked the
question here http://lists.jboss.org/pipermail/keycloak-user/2016-
November/008454.html).
I suggest to add to the Keycloak configuration the additional new property
– the internal client URL.
Then Keycloak will use the property in org.keycloak.protocol.oidc.OIDCWellKnownProvider
and will create the well-known configuration with internal and external IPs.
Clients will use the well-known configuration and will be able to connect
to Keycloak without any problems.
What do you say about the suggestions?
If you think it is good I will happy to implement and test it during our
integration with Keycloak.
Best regards,
Michael
------------------------------
*From:* keycloak-user-bounces(a)lists.jboss.org <
keycloak-user-bounces(a)lists.jboss.org> on behalf of Gabriel Lavoie <
glavoie(a)gmail.com>
*Sent:* Wednesday, November 30, 2016 6:33 PM
*To:* Andrey Saroul
*Cc:* keycloak-user
*Subject:* Re: [keycloak-user] Keycloak behind 2 Nginx reverse proxies
(HTTPS -> HTTP)
Hi Andrew,
The answer is "it depends". When generating tokens or metadata,
Keycloak uses the scheme://hostname:port/ that was used to access it to
fill the different issuers/URLs. The same values must match in the client
JSON file so the client can validate the source of the token.
At the client level, this could be handled by having a custom translation
step over the configuration that accept both schemes and match it to the
issuer, not something that Keycloak seems to support natively last time I
checked.
Doing SSO through multiple aliases always has this sort of issues. This is
usually something that should be avoided. Can you keep Keycloak HTTPs and
your application HTTP in your internal network?
Gabriel
2016-11-25 8:08 GMT-05:00 Andrey Saroul <andrey.saroul(a)gmail.com>:
> We have an idea to isolate our application in our internal network so
that
> all communication in that network can go by HTTP.
> So we've set up a public nginx server, witch is responsible for
> establishing https connections.
> Public nginx server forwards requests to another nginx server in secured
> internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
> But this configuration is not working because of invalid redirect issue.
> In our client's json file we have to define auth-server-url with HTTPS
> scheme. When we try to specify HTTP Keycloak no longer works.
> So my question: is it possible to make things work by HTTP in internal
> private network and HTTPS only remain for public access.
> Any guidance will be appreciated.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the
keycloak-user Archives. Using keycloak-user: To post a message to all the
list members ...
>
--
Gabriel Lavoie
glavoie(a)gmail.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the
keycloak-user Archives. Using keycloak-user: To post a message to all the
list members ...
11:44 p.m.
This is not required for reverse proxy and would also prevent the ability
to have multiple endpoints for the same server. If the reverse proxy and
Keycloak is configured correctly it will use the correct URL as seen by the
reverse proxy.
On 5 December 2016 at 10:14, Andrey Saroul <andrey.saroul(a)gmail.com> wrote:
That's exact feature which I've been looking for.
That will solve our problem with reverse proxy.
I defenetly vote for this feature to be implemented!
2016-12-05 11:57 GMT+03:00 Michael Furman <michael_furman(a)hotmail.com>:
> Dear Keycloak people,
>
> Please find below the suggestion that will allow easiest integration of
> Keycloak behind HTTPS reverse proxy.
>
> I suggest to add to the Keycloak configuration the new property – the
> client URL.
>
> Then, the Keycloak will use the property when generating tokens or
> metadata (instead of to rely on incoming HTTP request).
>
> This will allow to use Keycloak over HTTP and to use SSL only in reverse
> proxy.
>
> Additional suggestion will allow to configure Keycloak to work behind
> Reverse Proxy with Network Address Translation (NAT) (I have asked the
> question here http://lists.jboss.org/piperma
> il/keycloak-user/2016-November/008454.html).
>
> I suggest to add to the Keycloak configuration the additional new
> property – the internal client URL.
>
> Then Keycloak will use the property in
org.keycloak.protocol.oidc.OIDCWellKnownProvider
> and will create the well-known configuration with internal and external IPs.
>
> Clients will use the well-known configuration and will be able to connect
> to Keycloak without any problems.
>
> What do you say about the suggestions?
>
> If you think it is good I will happy to implement and test it during our
> integration with Keycloak.
>
> Best regards,
>
> Michael
>
>
> ------------------------------
> *From:* keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> on behalf of Gabriel Lavoie <
> glavoie(a)gmail.com>
> *Sent:* Wednesday, November 30, 2016 6:33 PM
> *To:* Andrey Saroul
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Keycloak behind 2 Nginx reverse proxies
> (HTTPS -> HTTP)
>
> Hi Andrew,
> The answer is "it depends". When generating tokens or metadata,
> Keycloak uses the scheme://hostname:port/ that was used to access it to
> fill the different issuers/URLs. The same values must match in the client
> JSON file so the client can validate the source of the token.
>
> At the client level, this could be handled by having a custom translation
> step over the configuration that accept both schemes and match it to the
> issuer, not something that Keycloak seems to support natively last time I
> checked.
>
> Doing SSO through multiple aliases always has this sort of issues. This is
> usually something that should be avoided. Can you keep Keycloak HTTPs and
> your application HTTP in your internal network?
>
> Gabriel
>
> 2016-11-25 8:08 GMT-05:00 Andrey Saroul <andrey.saroul(a)gmail.com>:
>
> > We have an idea to isolate our application in our internal network so
> that
> > all communication in that network can go by HTTP.
> > So we've set up a public nginx server, witch is responsible for
> > establishing https connections.
> > Public nginx server forwards requests to another nginx server in secured
> > internal network, witch is in turn accesses Keycloak and WildFly by
> HTTP.
> > But this configuration is not working because of invalid redirect issue.
> > In our client's json file we have to define auth-server-url with HTTPS
> > scheme. When we try to specify HTTP Keycloak no longer works.
> > So my question: is it possible to make things work by HTTP in internal
> > private network and HTTPS only remain for public access.
> > Any guidance will be appreciated.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
> >
>
>
>
> --
> Gabriel Lavoie
> glavoie(a)gmail.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
2717
days inactive
2736
days old
5 comments
5 participants
participants (5)
-
Andrey Saroul -
Gabriel Lavoie -
Michael Furman -
Pål Oliver Kristiansen -
Stian Thorgersen