7:57 a.m.
Hello,
I have built the architecture shown in the attached image.
Step 1. A client authentication request reaches the keycloak security
proxy docker container
Step 2. Proxy asks the actual keycloak server docker container
Step 3. Keycloak Server asks an external LDAP for user credentials
Step 4. Keycloak server replies OK
Step 5. Keycloak proxy replies OK and passes control to the external
application url.
THE PROBLEM IS that after successful authentication, the url of the host
server (i.e. where the keycloak proxy container and keyclak
authentication container lie) appears on the address bar of the browser
instead of the actual external application url.
For example, if the host machine where the keycloak containers lie is
keycloak.containers.gr, and the external application domain name is
www.external.application.gr, then, after a SUCCESSFUL login to the
keycloak SSO login page, the url in the address bar appears to
behttp://keycloak.containers.gr <http://keycloak.containers.gr/>instead
ofhttp://www.external.application.gr
<http://www.external.application.gr/>;. This fact destroys all the
relative css, js scripts, etc, attached to the site
www.external.application.gr.
KEYCLOAK SECURITY PROXY CONFIGURATION
{
"target-url": "http://www.external.application.gr",
"bind-address": "0.0.0.0",
"send-access-token": true,
"http-port": "8180",
"https-port": "8443",
"applications": [{
"base-path": "/",
"adapter-config": {
"realm": "internal_applications",
"auth-server-url":
"http://keycloak.containers.gr:8202/auth",
"resource": "test_app",
"ssl-required": "external",
"credentials": {
"secret": "xxxxx-xxx-xxx-xxxx-xxxxxxxxxxx"
}
},
"constraints": [{
"pattern": "/*",
"authenticate": true
}],
"proxy-address-forwarding": true
}]
}
I use a proxy.json for the keycloak security proxy configuration
NOTE: I have tried to change the "bind-address": "0.0.0.0" parameter,
from 0.0.0.0 to the IP of the www.external.application.gr but with no
luck...
please... any help??
Thank you!!
Dimitris
--
_____________________________
Dimitris Charlaftis
Software Engineer
National Documentation Center
email: dharlaftis(a)ekt.gr
_____________________________
10:40 p.m.
Hello Dimitris,
If you want your application to be accessible under its original URL, you should use
Keycloak adapters instead. When using proxy, the original URL remains hidden - this is how
reverse proxying works. In this regard Keycloak security proxy is not much different from
Apache mod_proxy, HAProxy or nginx. Your application needs to be able to handle the
situation where it is exposed under different URL, and adjust the internal URLs (CSS,
scripts etc.) accordingly. You can do this either by introducing a config param, or by
processing X-Forwarded-Host and X-Forwarded-Proto headers.
Also I'd recommend that you use Keycloak Gatekeeper [1] instead of the now deprecated
Keycloak proxy.
[1] https://github.com/keycloak/keycloak-gatekeeper
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2019-01-17 at 15:57 +0200, Dimitris Charlaftis wrote:
Hello,
I have built the architecture shown in the attached image.
Step 1. A client authentication request reaches the keycloak security
proxy docker container
Step 2. Proxy asks the actual keycloak server docker container
Step 3. Keycloak Server asks an external LDAP for user credentials
Step 4. Keycloak server replies OK
Step 5. Keycloak proxy replies OK and passes control to the external
application url.
THE PROBLEM IS that after successful authentication, the url of the host
server (i.e. where the keycloak proxy container and keyclak
authentication container lie) appears on the address bar of the browser
instead of the actual external application url.
For example, if the host machine where the keycloak containers lie is
keycloak.containers.gr, and the external application domain name is
www.external.application.gr, then, after a SUCCESSFUL login to the
keycloak SSO login page, the url in the address bar appears to
> behttp://keycloak.containers.gr <http://keycloak.containers.gr/>instead
> ofhttp://www.external.application.gr
> <http://www.external.application.gr/>;. This fact destroys all the
relative css, js scripts, etc, attached to the site
www.external.application.gr.
KEYCLOAK SECURITY PROXY CONFIGURATION
{
> "target-url": "http://www.external.application.gr",
"bind-address": "0.0.0.0",
"send-access-token": true,
"http-port": "8180",
"https-port": "8443",
"applications": [{
"base-path": "/",
"adapter-config": {
"realm": "internal_applications",
"auth-server-url":
"http://keycloak.containers.gr:8202/auth",
"resource": "test_app",
"ssl-required": "external",
"credentials": {
"secret": "xxxxx-xxx-xxx-xxxx-xxxxxxxxxxx"
}
},
"constraints": [{
"pattern": "/*",
"authenticate": true
}],
"proxy-address-forwarding": true
}]
}
I use a proxy.json for the keycloak security proxy configuration
NOTE: I have tried to change the "bind-address": "0.0.0.0"
parameter,
> from 0.0.0.0 to the IP of the www.external.application.gr but with no
luck...
please... any help??
Thank you!!
Dimitris
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2183
days inactive
2184
days old
1 comments
2 participants
participants (2)
-
Dimitris Charlaftis -
Dmitry Telegin