[keycloak-dev] combine proxy and keycloak server

[John Dennis]

On 08/16/2016 04:43 PM, Bill Burke wrote:
>> There's also plenty of options around proxies (Apache, nginx, APIMan,
>> 3scale, etc.). I'm not convinced we should even have our own. Sounds
>> like APIMan might actually survive and end up being supported in some
>> form, so that may still be a better option to us rolling our own
>> proxy/gateway.
>>
> Disagree 100%.  Right now without a supported proxy we have zero control
> over how other languages and environments integrate with Keycloak
> (except Java).  We're at the mercy of mod-auth-mellon and
> mod-auth-openidc the latter of which isn't even maintained by RHT.  Both
> of which we do not have any in house knowledge to make extensions to.
> The potential to simplify and unify setup and configuration and
> management is just too huge here to ignore.

Correction, Red Hat does support mod_auth_openidc and we do have 
in-house expertise to modify and extend these packages. In fact we're 
already made significant contributions to mod_auth_mellon and the lasso 
SAML library it utilizes.

The platform group has deployed Keycloak behind both the Apache and 
HAproxy proxies and has (started) documenting the process. We also are 
in the process of writing Ansible and Puppet configuration modules to 
help deploy Keycloak, I believe in all these scenarios Keycloak is 
behind a proxy.

I wish our two groups had better awareness of each other.

-- 
John