[keycloak-dev] Remove auth-server-url-for-backend-requests from adapters

Stian Thorgersen sthorger at redhat.com
Tue Mar 8 03:50:48 EST 2016


On 8 March 2016 at 09:43, Marek Posolda <mposolda at redhat.com> wrote:

> +1 to remove it.
>
> We can always re-add or add something different if people start to
> complain ;-)
>
> I guess that earlier or later, we may still need a possibility to
> configure hostname for keycloak server. I think that there were people with
> funky deployments having issues even if they don't use
> auth-server-url-for-backend-requests. Other possibility instead of
> introduce hostname might be to introduce list of valid URLs on adapter
> side, which are acceptable as issuers of access token. But who knows, maybe
> everyone can somehow fix his deployment and we won't need anything :-)
>

I don't think we'll need it, nor do I think we need a list of valid URLs on
adapter side. It's a slippery slope to do that, both in terms of usability
and security. Token should be issued by a specific Keycloak server (and
hostname is important here) and a token issued by one Keycloak server with
one hostname is not equivalent of a token issued by another server.

If someone can't configure DNS or hostnames they'll just have to invoke it
through the reverse proxy or load balancer. In fact in a cluster you most
likely will have to go through the load balancer in either case.


>
>
> Marek
>
>
> On 08/03/16 09:08, Stian Thorgersen wrote:
>
> Currently we allow adapters to configure two urls for Keycloak
> (auth-server-url and auth-server-url-for-backend-requests). I propose we
> remove auth-server-url-for-backend-requests.
>
> The auth-server-url-for-backend-requests property was added as a way for
> adapters to invoke Keycloak directly without having to go through a load
> balancer or reverse proxy.
>
> The issue with auth-server-url-for-backend-requests is that the Keycloak
> server will not know the adapter is invoking Keycloak from a different URL,
> which results in invalid URLs in tokens and also if any links are generated
> (for example verify email).
>
> It also means that there's a need to have two separate certificates
> configured for Keycloak as there are different hostnames.
>
> The currently proposed solution is to add a way to configure the hostname
> for the Keycloak server. However, this is an extra configuration
> requirement and is also a significant amount of work to implement as well
> as potentially quite error prone. This could further be problematic if
> there is indeed two valid URLs for a server (for example
> <http://company.com>http://company.com and http://internal.company.com).
>
> We should simply remove auth-server-url-for-backend-requests. If anyone
> wants to bypass the load balancer for internal machines that should be
> solved at the DNS level or by adding entries to the host file. As the
> hostname remains the same there's no need for multiple certificates, nor is
> there a need to hardcode the address on the Keycloak server itself.
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160308/eed6fd7a/attachment.html 


More information about the keycloak-dev mailing list