[keycloak-dev] Info endpoint to simplify debugging proxy config

Stian Thorgersen sthorger at redhat.com
Fri Jan 6 03:31:51 EST 2017

I've been looking at some issues with reverse proxy when Keycloak is
installed on EAP 7.0.3+ [1]. While doing so I found out that it's fairly
inconvenient and not straightforward to debug if the proxy configuration is

To verify URLs you have to for example open the well-known endpoint for
OIDC. Then you have to verify the remote IP address by doing a failed login
attempt and looking at the server log.

To make this simpler I propose adding the start of a server info endpoint.
It will be a SPI that allows plugging in server info providers that can
show different details if authenticated or not.

You can either view info for all providers at a time with
"/realms/master/.info" or for a specific provider

The proxy info provider will display:

  "authServerUrl" : "http://host1/auth",
  "remoteAddress" : "",
  "proxyDetected" : true,
  "headers" : {
    "Host" : "host1",
    "X-Forwarded-For" : "",
    "X-Forwarded-Host" : "host2",
    "X-Forwarded-Proto" : "https"

Implementation is ready [2] I just need to get feedback and add tests.

In the future we can expand on this to for instance provide a health
monitoring endpoint that allows checking the server health (JPA
connections, Infinispan connections, IdP connections, user fed connections,

[1] https://issues.jboss.org/browse/KEYCLOAK-4149

More information about the keycloak-dev mailing list