[keycloak-dev] combine proxy and keycloak server
Bill Burke
bburke at redhat.com
Mon Aug 15 10:09:50 EDT 2016
Yes. There will be a lot of stuff we can do.
On 8/15/16 10:04 AM, Pedro Igor Silva wrote:
> Don't you think that all that is pretty much related with turning Keycloak as a Web Application Firewall (WAF) ? Now that we also have authz services in, we can do a lot of things at this regard.
>
> ----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: stian at redhat.com, "Thomas Darimont" <thomas.darimont at googlemail.com>
> Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
> Sent: Monday, August 15, 2016 10:38:00 AM
> Subject: Re: [keycloak-dev] combine proxy and keycloak server
>
>
>
> You should rethink your position, IMO. Its actually a huge benefit in both usability and performance.
>
> Usability in that you don't have to configure and run a completely different program/process that is configured completely different than Keycloak. You can configure and manage all clients in one place. Performance is that you get rid of all the redirects that happen with SAML and OIDC. FOr your performance concern, you would just assign only a set of specific nodes that would be your proxy. So, if you had a keycloak cluster of 4 nodes, 2 nodes could be designated solely as proxy nodes, the other 2 for normal SSO.
>
> On 8/15/16 7:44 AM, Stian Thorgersen wrote:
>
>
>
> I'm not convinced about this. A lot of complexity for what seems like little benefit. The improvement of not having to do OIDC would probably end up being outweighed by all requests going through Keycloak rather than a separate proxy.
>
> On 9 August 2016 at 11:06, Thomas Darimont < thomas.darimont at googlemail.com > wrote:
>
>
>
> FYI, I sent some questions to the undertow dev-mailing list regarding dynamic vhost configuration:
> http://lists.jboss.org/pipermail/undertow-dev/2016-August/001668.html
>
> Cheers,
> Thomas
>
> 2016-08-05 21:26 GMT+02:00 Bill Burke < bburke at redhat.com > :
>
>
>
>
>
> Yeah, on the Client creation page, instead of oidc or saml, you can pick "proxied". You would specify the URL pattern of incoming requests and the URL pattern to forward HTTP requests and bam, it just works. Set up some virtual host table on demand with Undertow.
>
> On 8/5/16 11:36 AM, Thomas Darimont wrote:
>
>
>
> Sounds interesting...
>
> could you provide a bit more detail about what you have in mind?
>
> Cheers,
> Thomas
>
> 2016-08-05 16:38 GMT+02:00 Bill Burke < bburke at redhat.com > :
>
>
> Bump.
>
> I'm going to keep bumping this occasionally to see if somebody in the
> community wants to take this on.
>
>
> On 8/4/16 8:30 PM, Bill Burke wrote:
>> I think we should combine Keycloak Proxy with the keycloak server. When
>> creating a client, you would have an option to declare it as a proxied
>> client. This is way better than what we currently have as we woudln't
>> have to do SAML or OIDC so it would be more performant and it would
>> require no additional setup.
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list