[keycloak-dev] Info endpoint to simplify debugging proxy config

Marek Posolda mposolda at redhat.com
Fri Jan 6 10:21:28 EST 2017


+1

I wonder if it's cleaner that we also add existing stuff in 
ServerInfoAdminResource to this SPI?

One minor thing, it seems there is not handling of preflight OPTIONS 
request in your new endpoint?

Marek

On 06/01/17 09:31, Stian Thorgersen wrote:
> I've been looking at some issues with reverse proxy when Keycloak is
> installed on EAP 7.0.3+ [1]. While doing so I found out that it's fairly
> inconvenient and not straightforward to debug if the proxy configuration is
> correct.
>
> To verify URLs you have to for example open the well-known endpoint for
> OIDC. Then you have to verify the remote IP address by doing a failed login
> attempt and looking at the server log.
>
> To make this simpler I propose adding the start of a server info endpoint.
> It will be a SPI that allows plugging in server info providers that can
> show different details if authenticated or not.
>
> You can either view info for all providers at a time with
> "/realms/master/.info" or for a specific provider
> "/realms/master/.info/proxy".
>
> The proxy info provider will display:
>
> {
>    "authServerUrl" : "http://host1/auth",
>    "remoteAddress" : "127.0.0.1",
>    "proxyDetected" : true,
>    "headers" : {
>      "Host" : "host1",
>      "X-Forwarded-For" : "1.2.3.4",
>      "X-Forwarded-Host" : "host2",
>      "X-Forwarded-Proto" : "https"
>    }
> }
>
> Implementation is ready [2] I just need to get feedback and add tests.
>
> In the future we can expand on this to for instance provide a health
> monitoring endpoint that allows checking the server health (JPA
> connections, Infinispan connections, IdP connections, user fed connections,
> etc.).
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-4149
> [2]
> https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e05b22c23a8
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list