[keycloak-dev] Remove auth-server-url-for-backend-requests from adapters

Marek Posolda mposolda at redhat.com
Tue Mar 8 03:43:05 EST 2016


+1 to remove it.

We can always re-add or add something different if people start to 
complain ;-)

I guess that earlier or later, we may still need a possibility to 
configure hostname for keycloak server. I think that there were people 
with funky deployments having issues even if they don't use 
auth-server-url-for-backend-requests. Other possibility instead of 
introduce hostname might be to introduce list of valid URLs on adapter 
side, which are acceptable as issuers of access token. But who knows, 
maybe everyone can somehow fix his deployment and we won't need anything 
:-)

Marek

On 08/03/16 09:08, Stian Thorgersen wrote:
> Currently we allow adapters to configure two urls for Keycloak 
> (auth-server-url and auth-server-url-for-backend-requests). I propose 
> we remove auth-server-url-for-backend-requests.
>
> The auth-server-url-for-backend-requests property was added as a way 
> for adapters to invoke Keycloak directly without having to go through 
> a load balancer or reverse proxy.
>
> The issue with auth-server-url-for-backend-requests is that the 
> Keycloak server will not know the adapter is invoking Keycloak from a 
> different URL, which results in invalid URLs in tokens and also if any 
> links are generated (for example verify email).
>
> It also means that there's a need to have two separate certificates 
> configured for Keycloak as there are different hostnames.
>
> The currently proposed solution is to add a way to configure the 
> hostname for the Keycloak server. However, this is an extra 
> configuration requirement and is also a significant amount of work to 
> implement as well as potentially quite error prone. This could further 
> be problematic if there is indeed two valid URLs for a server (for 
> example http://company.com and http://internal.company.com).
>
> We should simply remove auth-server-url-for-backend-requests. If 
> anyone wants to bypass the load balancer for internal machines that 
> should be solved at the DNS level or by adding entries to the host 
> file. As the hostname remains the same there's no need for multiple 
> certificates, nor is there a need to hardcode the address on the 
> Keycloak server itself.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160308/8942df88/attachment.html 


More information about the keycloak-dev mailing list