[keycloak-dev] Info endpoint to simplify debugging proxy config
Stian Thorgersen
sthorger at redhat.com
Fri Jan 6 03:31:51 EST 2017
I've been looking at some issues with reverse proxy when Keycloak is
installed on EAP 7.0.3+ [1]. While doing so I found out that it's fairly
inconvenient and not straightforward to debug if the proxy configuration is
correct.
To verify URLs you have to for example open the well-known endpoint for
OIDC. Then you have to verify the remote IP address by doing a failed login
attempt and looking at the server log.
To make this simpler I propose adding the start of a server info endpoint.
It will be a SPI that allows plugging in server info providers that can
show different details if authenticated or not.
You can either view info for all providers at a time with
"/realms/master/.info" or for a specific provider
"/realms/master/.info/proxy".
The proxy info provider will display:
{
"authServerUrl" : "http://host1/auth",
"remoteAddress" : "127.0.0.1",
"proxyDetected" : true,
"headers" : {
"Host" : "host1",
"X-Forwarded-For" : "1.2.3.4",
"X-Forwarded-Host" : "host2",
"X-Forwarded-Proto" : "https"
}
}
Implementation is ready [2] I just need to get feedback and add tests.
In the future we can expand on this to for instance provide a health
monitoring endpoint that allows checking the server health (JPA
connections, Infinispan connections, IdP connections, user fed connections,
etc.).
[1] https://issues.jboss.org/browse/KEYCLOAK-4149
[2]
https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e05b22c23a8
More information about the keycloak-dev
mailing list