[keycloak-dev] Remove auth-server-url-for-backend-requests from adapters

[Stian Thorgersen]

Currently we allow adapters to configure two urls for Keycloak
(auth-server-url and auth-server-url-for-backend-requests). I propose we
remove auth-server-url-for-backend-requests.

The auth-server-url-for-backend-requests property was added as a way for
adapters to invoke Keycloak directly without having to go through a load
balancer or reverse proxy.

The issue with auth-server-url-for-backend-requests is that the Keycloak
server will not know the adapter is invoking Keycloak from a different URL,
which results in invalid URLs in tokens and also if any links are generated
(for example verify email).

It also means that there's a need to have two separate certificates
configured for Keycloak as there are different hostnames.

The currently proposed solution is to add a way to configure the hostname
for the Keycloak server. However, this is an extra configuration
requirement and is also a significant amount of work to implement as well
as potentially quite error prone. This could further be problematic if
there is indeed two valid URLs for a server (for example http://company.com
and http://internal.company.com).

We should simply remove auth-server-url-for-backend-requests. If anyone
wants to bypass the load balancer for internal machines that should be
solved at the DNS level or by adding entries to the host file. As the
hostname remains the same there's no need for multiple certificates, nor is
there a need to hardcode the address on the Keycloak server itself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160308/76e8d562/attachment.html