[keycloak-dev] Info endpoint to simplify debugging proxy config

Marek Posolda mposolda at redhat.com
Mon Jan 9 03:05:14 EST 2017 

Current ServerInfoAdminResource provides information about available 
providers etc, but also some real-time info about system, CPU, memory 
etc. Isn't that similar to the health-checks in the new endpoint, which 
you are proposing?

Marek

On 09/01/17 08:42, Stian Thorgersen wrote:
> Maybe, but I don't see any real benefit in doing that. The two serves 
> quite different purposes as well.
>
> On 6 January 2017 at 16:21, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     +1
>
>     I wonder if it's cleaner that we also add existing stuff in
>     ServerInfoAdminResource to this SPI?
>
>     One minor thing, it seems there is not handling of preflight
>     OPTIONS request in your new endpoint?
>
>     Marek
>
>
>     On 06/01/17 09:31, Stian Thorgersen wrote:
>
>         I've been looking at some issues with reverse proxy when
>         Keycloak is
>         installed on EAP 7.0.3+ [1]. While doing so I found out that
>         it's fairly
>         inconvenient and not straightforward to debug if the proxy
>         configuration is
>         correct.
>
>         To verify URLs you have to for example open the well-known
>         endpoint for
>         OIDC. Then you have to verify the remote IP address by doing a
>         failed login
>         attempt and looking at the server log.
>
>         To make this simpler I propose adding the start of a server
>         info endpoint.
>         It will be a SPI that allows plugging in server info providers
>         that can
>         show different details if authenticated or not.
>
>         You can either view info for all providers at a time with
>         "/realms/master/.info" or for a specific provider
>         "/realms/master/.info/proxy".
>
>         The proxy info provider will display:
>
>         {
>            "authServerUrl" : "http://host1/auth",
>            "remoteAddress" : "127.0.0.1",
>            "proxyDetected" : true,
>            "headers" : {
>              "Host" : "host1",
>              "X-Forwarded-For" : "1.2.3.4",
>              "X-Forwarded-Host" : "host2",
>              "X-Forwarded-Proto" : "https"
>            }
>         }
>
>         Implementation is ready [2] I just need to get feedback and
>         add tests.
>
>         In the future we can expand on this to for instance provide a
>         health
>         monitoring endpoint that allows checking the server health (JPA
>         connections, Infinispan connections, IdP connections, user fed
>         connections,
>         etc.).
>
>         [1] https://issues.jboss.org/browse/KEYCLOAK-4149
>         <https://issues.jboss.org/browse/KEYCLOAK-4149>
>         [2]
>         https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e05b22c23a8
>         <https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e05b22c23a8>
>         _______________________________________________
>         keycloak-dev mailing list
>         keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>         <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
>
>

More information about the keycloak-dev mailing list