[keycloak-dev] Info endpoint to simplify debugging proxy config

Stian Thorgersen sthorger at redhat.com
Mon Jan 9 04:41:42 EST 2017 

True, didn't consider that part. The real-time info should probably be
moved to the info endpoint, while the list/details about providers kept at
ServerInfoAdminResource.

On 9 January 2017 at 09:05, Marek Posolda <mposolda at redhat.com> wrote:

> Current ServerInfoAdminResource provides information about available
> providers etc, but also some real-time info about system, CPU, memory etc.
> Isn't that similar to the health-checks in the new endpoint, which you are
> proposing?
>
> Marek
>
>
> On 09/01/17 08:42, Stian Thorgersen wrote:
>
> Maybe, but I don't see any real benefit in doing that. The two serves
> quite different purposes as well.
>
> On 6 January 2017 at 16:21, Marek Posolda <mposolda at redhat.com> wrote:
>
>> +1
>>
>> I wonder if it's cleaner that we also add existing stuff in
>> ServerInfoAdminResource to this SPI?
>>
>> One minor thing, it seems there is not handling of preflight OPTIONS
>> request in your new endpoint?
>>
>> Marek
>>
>>
>> On 06/01/17 09:31, Stian Thorgersen wrote:
>>
>>> I've been looking at some issues with reverse proxy when Keycloak is
>>> installed on EAP 7.0.3+ [1]. While doing so I found out that it's fairly
>>> inconvenient and not straightforward to debug if the proxy configuration
>>> is
>>> correct.
>>>
>>> To verify URLs you have to for example open the well-known endpoint for
>>> OIDC. Then you have to verify the remote IP address by doing a failed
>>> login
>>> attempt and looking at the server log.
>>>
>>> To make this simpler I propose adding the start of a server info
>>> endpoint.
>>> It will be a SPI that allows plugging in server info providers that can
>>> show different details if authenticated or not.
>>>
>>> You can either view info for all providers at a time with
>>> "/realms/master/.info" or for a specific provider
>>> "/realms/master/.info/proxy".
>>>
>>> The proxy info provider will display:
>>>
>>> {
>>>    "authServerUrl" : "http://host1/auth",
>>>    "remoteAddress" : "127.0.0.1",
>>>    "proxyDetected" : true,
>>>    "headers" : {
>>>      "Host" : "host1",
>>>      "X-Forwarded-For" : "1.2.3.4",
>>>      "X-Forwarded-Host" : "host2",
>>>      "X-Forwarded-Proto" : "https"
>>>    }
>>> }
>>>
>>> Implementation is ready [2] I just need to get feedback and add tests.
>>>
>>> In the future we can expand on this to for instance provide a health
>>> monitoring endpoint that allows checking the server health (JPA
>>> connections, Infinispan connections, IdP connections, user fed
>>> connections,
>>> etc.).
>>>
>>> [1] https://issues.jboss.org/browse/KEYCLOAK-4149
>>> [2]
>>> https://github.com/stianst/keycloak/commit/99abbc47c49585d1e
>>> 62c74f3ea227e05b22c23a8
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>>
>
>

More information about the keycloak-dev mailing list