[keycloak-dev] Info endpoint to simplify debugging proxy config
Marek Posolda
mposolda at redhat.com
Mon Jan 9 04:53:07 EST 2017
+1
Marek
On 09/01/17 10:41, Stian Thorgersen wrote:
> True, didn't consider that part. The real-time info should probably be
> moved to the info endpoint, while the list/details about providers
> kept at ServerInfoAdminResource.
>
> On 9 January 2017 at 09:05, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> Current ServerInfoAdminResource provides information about
> available providers etc, but also some real-time info about
> system, CPU, memory etc. Isn't that similar to the health-checks
> in the new endpoint, which you are proposing?
>
> Marek
>
>
> On 09/01/17 08:42, Stian Thorgersen wrote:
>> Maybe, but I don't see any real benefit in doing that. The two
>> serves quite different purposes as well.
>>
>> On 6 January 2017 at 16:21, Marek Posolda <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>> wrote:
>>
>> +1
>>
>> I wonder if it's cleaner that we also add existing stuff in
>> ServerInfoAdminResource to this SPI?
>>
>> One minor thing, it seems there is not handling of preflight
>> OPTIONS request in your new endpoint?
>>
>> Marek
>>
>>
>> On 06/01/17 09:31, Stian Thorgersen wrote:
>>
>> I've been looking at some issues with reverse proxy when
>> Keycloak is
>> installed on EAP 7.0.3+ [1]. While doing so I found out
>> that it's fairly
>> inconvenient and not straightforward to debug if the
>> proxy configuration is
>> correct.
>>
>> To verify URLs you have to for example open the
>> well-known endpoint for
>> OIDC. Then you have to verify the remote IP address by
>> doing a failed login
>> attempt and looking at the server log.
>>
>> To make this simpler I propose adding the start of a
>> server info endpoint.
>> It will be a SPI that allows plugging in server info
>> providers that can
>> show different details if authenticated or not.
>>
>> You can either view info for all providers at a time with
>> "/realms/master/.info" or for a specific provider
>> "/realms/master/.info/proxy".
>>
>> The proxy info provider will display:
>>
>> {
>> "authServerUrl" : "http://host1/auth",
>> "remoteAddress" : "127.0.0.1",
>> "proxyDetected" : true,
>> "headers" : {
>> "Host" : "host1",
>> "X-Forwarded-For" : "1.2.3.4",
>> "X-Forwarded-Host" : "host2",
>> "X-Forwarded-Proto" : "https"
>> }
>> }
>>
>> Implementation is ready [2] I just need to get feedback
>> and add tests.
>>
>> In the future we can expand on this to for instance
>> provide a health
>> monitoring endpoint that allows checking the server
>> health (JPA
>> connections, Infinispan connections, IdP connections,
>> user fed connections,
>> etc.).
>>
>> [1] https://issues.jboss.org/browse/KEYCLOAK-4149
>> <https://issues.jboss.org/browse/KEYCLOAK-4149>
>> [2]
>> https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e05b22c23a8
>> <https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e05b22c23a8>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>>
>>
>>
>
>
More information about the keycloak-dev
mailing list