Hello Stuart,
thanks for your help :)
My current understanding is that I need to proxy requests that are sent to
a virtual host created
at runtime by the Keycloak deployment and Keycloak would add some
additional headers with auth information
and takes care of authentication of necessary.
Since this can be configured at runtime I don't see how I could use the
ServletExtension (which is to my knowledge
applied at start-time) to dynamically register virtual hosts with Undertow.
The workflow is as follows:
So an admin would create a new "proxied" client configuration in the
Keycloak admin console where
he would configure the name for a new virtual host and a target url.
E.g. if the keycloak servername is "sso.acme.com" a user would create
proxied client with the following configuration:
* clientid: app1
* virtual host:
app1.acme.com
* target url:
https://myapp1.com/app
* Header Mapping: key value pairs with header name to (dynamic) expression
mapping to inject in the proxied request
* Certificate / public / private key
The certificate is used to provide TLS for
app1.acme.com - one could also
use a wildcard cert here or generate
the cert on the server on client setup.
With that in place requests sent to:
https://app1.acme.com/
should be proxied to:
https://myapp1.com/app/
The DNS name
app1.acme.com would of course resolve to the IP of
sso.acme.com
.
A purely path-based solution would be to define a proxy endpoint like
https://sso.acme.com/proxy/ which then
proxies all requests sent to
https://sso.acme.com/proxy/app1 to
https://myapp1.com/app.
The servlet based approach could be done easily done with Servlets or
JAX-RS endpoints, but I still wonder how the dynamic vhost registration
could be done.
Cheers,
Thomas
2016-08-09 5:50 GMT+02:00 Stuart Douglas <sdouglas(a)redhat.com>:
So does this need to proxy all requests, or just requests targeted
at
the keycloak deployment? If it is the later then you could just use
ServletExtension to set up the ProxyHandler.
Stuart
On Tue, Aug 9, 2016 at 6:35 AM, Thomas Darimont
<thomas.darimont(a)googlemail.com> wrote:
> Hello list,
>
> I'm currently working on embedding Keycloak's currently dedicated Proxy
> Server into Keycloak itself.
> For this I need to be able to dynamically configure Undertow's
ProxyHandler
> and register VirtualHosts at runtime.
> For reference the discussion thread on keycloak-dev ML: [1]
>
> Keycloak uses the Undertow Subsystem provided by Wildfly 10 which is
> configured via the standalone(-ha).xml.
>
> I could already configure a reverse-proxy and additional hosts via
jboss-cli
> but I wonder whether there is an API
> that I could use to get access to the undertow infrastructure from
within a
> JAX-RS endpoint.
> I could probably also use the wildfly management client API or perhaps do
> something via JMX.
>
> Would be great if someone could give me a tip or an example for
registering
> / configuring Undertow Handler or Virtual Hosts as described above.
>
> Btw. I saw that Undertow ships with a
> io.undertow.server.handlers.proxy.HostTable but I couldn't find
> any usage of it in the Undertow codebase - did I miss something or is
this
> dead code?
>
> FYI current code of Keycloak dedicated Proxy Server (uses embedded
undertow)
> can be found here: [0]
>
> Cherrs,
> Thomas
> [0]
https://github.com/keycloak/keycloak/tree/master/proxy
> [1]
http://lists.jboss.org/pipermail/keycloak-dev/2016-
August/007742.html
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/undertow-dev