[keycloak-dev] Info endpoint to simplify debugging proxy config

Stian Thorgersen sthorger at redhat.com
Mon Jan 9 02:42:37 EST 2017


Maybe, but I don't see any real benefit in doing that. The two serves quite
different purposes as well.

On 6 January 2017 at 16:21, Marek Posolda <mposolda at redhat.com> wrote:

> +1
>
> I wonder if it's cleaner that we also add existing stuff in
> ServerInfoAdminResource to this SPI?
>
> One minor thing, it seems there is not handling of preflight OPTIONS
> request in your new endpoint?
>
> Marek
>
>
> On 06/01/17 09:31, Stian Thorgersen wrote:
>
>> I've been looking at some issues with reverse proxy when Keycloak is
>> installed on EAP 7.0.3+ [1]. While doing so I found out that it's fairly
>> inconvenient and not straightforward to debug if the proxy configuration
>> is
>> correct.
>>
>> To verify URLs you have to for example open the well-known endpoint for
>> OIDC. Then you have to verify the remote IP address by doing a failed
>> login
>> attempt and looking at the server log.
>>
>> To make this simpler I propose adding the start of a server info endpoint.
>> It will be a SPI that allows plugging in server info providers that can
>> show different details if authenticated or not.
>>
>> You can either view info for all providers at a time with
>> "/realms/master/.info" or for a specific provider
>> "/realms/master/.info/proxy".
>>
>> The proxy info provider will display:
>>
>> {
>>    "authServerUrl" : "http://host1/auth",
>>    "remoteAddress" : "127.0.0.1",
>>    "proxyDetected" : true,
>>    "headers" : {
>>      "Host" : "host1",
>>      "X-Forwarded-For" : "1.2.3.4",
>>      "X-Forwarded-Host" : "host2",
>>      "X-Forwarded-Proto" : "https"
>>    }
>> }
>>
>> Implementation is ready [2] I just need to get feedback and add tests.
>>
>> In the future we can expand on this to for instance provide a health
>> monitoring endpoint that allows checking the server health (JPA
>> connections, Infinispan connections, IdP connections, user fed
>> connections,
>> etc.).
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-4149
>> [2]
>> https://github.com/stianst/keycloak/commit/99abbc47c49585d1e
>> 62c74f3ea227e05b22c23a8
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>


More information about the keycloak-dev mailing list