[keycloak-dev] next-gen Keycloak proxy

Bill Burke bburke at redhat.com
Mon Mar 13 23:19:29 EDT 2017

On 3/13/17 9:05 PM, Marc Boorshtein wrote:
>     * Can/Should one Keycloak Proxy virtual host and proxy multiple
>     apps in
>     same instance?  One thing stopping this is SSL.  If Keycloak Proxy is
>     handling SSL, then there is no possibility of virtual hosting.  If the
>     load balancer is handling SSL, then this is a possibility.
> You can have multiple virtual hosts with the TLS endpoint being KC.  
> We do ti with OpenUnison and apache lets you do it I think with TLS 
> 1.2 and apache 2.4 (I have a customer thats doing that right now so I 
> know it works).  So long as the cert has multiple Subject Alternative 
> Names or is a wildcard it should work.
Didn't know that, I'll have to try it out.  I thought the browser only 
validated by looking at the CN.  Thanks for that.

>     * Keycloak Proxy currently needs an HttpSession as it stores
>     authentication information (JWS access token and Refresh Token)
>     there so
>     it can forward it to the application.  We'd have to either shrink
>     needed
>     information so it could be stored in a cookie, or replication
>     sessions.
>     THe latter of which would have the same issues with cross DC.
> OpenUnison originally took the "everything in a cookie" approach, the 
> cookie quickly got too big to be effective and we had to switch to 
> maintaining a backend session.
We already have a cookie option with our Java saml/oidc adapters that 
some users prefer.  Not everybody is trying to solve the worlds problems 
with their identity tokens.
> I know I've brought this up before, but I'd like to offer up 
> OpenUnison as a starting point: 
> https://github.com/tremolosecurity/openunison. OU probably has 70%-80% 
> of what you are looking for.  It already has the reverse proxy code 
> built in, written in Java, supports extensibility via multiple 
> mechanisms, an authorization subsystem that can easily be extended to 
> support an external az service and we have an extensible last mile 
> system for legacy apps that don't support openid connect for apache, 
> .net and Java.  We also have multiple production deployments 
> (including public safety applications).

> From a corporate standpoint we're already Red Hat partners at multiple 
> levels.  We're sponsoring Summit this year again and I'll be doing a 
> session on OpenShift identity management and compliance.
So nice of you to hijack the thread to promote your own product. Not 
very professional.  Its a bit hypocritical of me to say this as I've 
done it myself in the past and received a lot of crap for it.    Now 
that its being done to my project I can see why people get upset over 
it.   This isn't the first time you've done this. If you do it again, 
we'll remove you from the list.  I really don't give a shit if you're a 
partner or not.



More information about the keycloak-dev mailing list