[keycloak-dev] next-gen Keycloak proxy
bburke at redhat.com
Mon Mar 13 23:19:29 EDT 2017
On 3/13/17 9:05 PM, Marc Boorshtein wrote:
> * Can/Should one Keycloak Proxy virtual host and proxy multiple
> apps in
> same instance? One thing stopping this is SSL. If Keycloak Proxy is
> handling SSL, then there is no possibility of virtual hosting. If the
> load balancer is handling SSL, then this is a possibility.
> You can have multiple virtual hosts with the TLS endpoint being KC.
> We do ti with OpenUnison and apache lets you do it I think with TLS
> 1.2 and apache 2.4 (I have a customer thats doing that right now so I
> know it works). So long as the cert has multiple Subject Alternative
> Names or is a wildcard it should work.
Didn't know that, I'll have to try it out. I thought the browser only
validated by looking at the CN. Thanks for that.
> * Keycloak Proxy currently needs an HttpSession as it stores
> authentication information (JWS access token and Refresh Token)
> there so
> it can forward it to the application. We'd have to either shrink
> information so it could be stored in a cookie, or replication
> THe latter of which would have the same issues with cross DC.
> OpenUnison originally took the "everything in a cookie" approach, the
> cookie quickly got too big to be effective and we had to switch to
> maintaining a backend session.
We already have a cookie option with our Java saml/oidc adapters that
some users prefer. Not everybody is trying to solve the worlds problems
with their identity tokens.
> I know I've brought this up before, but I'd like to offer up
> OpenUnison as a starting point:
> https://github.com/tremolosecurity/openunison. OU probably has 70%-80%
> of what you are looking for. It already has the reverse proxy code
> built in, written in Java, supports extensibility via multiple
> mechanisms, an authorization subsystem that can easily be extended to
> support an external az service and we have an extensible last mile
> system for legacy apps that don't support openid connect for apache,
> .net and Java. We also have multiple production deployments
> (including public safety applications).
> From a corporate standpoint we're already Red Hat partners at multiple
> levels. We're sponsoring Summit this year again and I'll be doing a
> session on OpenShift identity management and compliance.
So nice of you to hijack the thread to promote your own product. Not
very professional. Its a bit hypocritical of me to say this as I've
done it myself in the past and received a lot of crap for it. Now
that its being done to my project I can see why people get upset over
it. This isn't the first time you've done this. If you do it again,
we'll remove you from the list. I really don't give a shit if you're a
partner or not.
More information about the keycloak-dev