[keycloak-dev] Running keycloak behind web proxy
Stian Thorgersen
sthorger at redhat.com
Wed Apr 19 02:50:08 EDT 2017
This is a different case. This is when Keycloak can't communicate to the
outside world unless it talks through a web proxy/firewall.
But, yes it would be nice to make it simpler for those that are using a
reverse proxy in front of Keycloak. Not sure we can though. The proxy has
to be configured correctly and it's not always trivial. We also have to
have the configuration option in Keycloak disabled by default as otherwise
it would allow sending fake X-Forwarded-.. headers to fake the remote IP
address. We can certainly improve docs around it though as they are not
straightforward and quite hidden.
On 18 April 2017 at 16:54, Bill Burke <bburke at redhat.com> wrote:
> We gotta figure out if there is anything we can do out of the box to
> help with this. THere's just so many questions on this and we're
> continually referencing docs to people.
>
>
> On 4/18/17 9:05 AM, Stian Thorgersen wrote:
> > The configuration should be on the default HttpClient provider [1],
> > configured through standalone.xml. Documentation is [2].
> >
> > We'd need some way of automating tests for it. Honestly, I don't know how
> > that would look like. Maybe it could be achieved with a dummy proxy that
> > allows checking what requests was made to it.
> >
> > [1]
> > https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/connections/httpclient/
> DefaultHttpClientFactory.java
> > [2]
> > https://keycloak.gitbooks.io/documentation/server_
> installation/topics/network/outgoing.html
> >
> > On 11 April 2017 at 12:03, Plank Martin <Martin.Plank at softec.sk> wrote:
> >
> >> Hi all!
> >>
> >> We're using Keycloak in a corporate environment where all external
> >> requests are blocked and must be sent via web proxy.
> >> Therefore the ReCAPTCHA and social identity providers (from version
> >> 3.0.0.CR1) do not work correctly. It can be fixed by configuring proxy
> host
> >> on Apache HttpClient, e.g. [1].
> >>
> >> I would be interested in contributing this. But I'm new to Keycloak
> >> development, so I will appreciate any information that could help,
> >> specifically:
> >>
> >> - What kind of automated tests do you expect to develop?
> >>
> >> - Where shoud be the proxy configuration stored?
> >>
> >> I have also submitted a Feature request with more information:
> >> https://issues.jboss.org/browse/KEYCLOAK-4743
> >>
> >> Thanks
> >> Martin Plank
> >>
> >> [1] https://hc.apache.org/httpcomponents-client-ga/
> >> httpclient/examples/org/apache/http/examples/client/
> >> ClientExecuteProxy.java
> >>
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list