[keycloak-dev] Flexible HTTP Proxy support for HttpClientProvider

Thomas Darimont thomas.darimont at googlemail.com
Wed Oct 11 08:26:06 EDT 2017


Hello,

I've sent a PR [1] for KEYCLOAK-4743 [2] Add proxy support to
HttpClientProvider SPI.
The proposed implementation is based on the discussions from an older
(rejected) PR [3]

The current DefaultHttpClientProviderFactory doesn't support HTTP proxies
which makes
it very difficult to integrate social Identity Providers like google /
facebook etc...
when you are required to tunnel all external communications though a proxy
server.

Server Developers are currently required to either convince their network
admins to
loosen the proxy rules ... or provide a custom implementation of a
HttpClientProvider,
which is quite complex. Therefore it would be great if keycloak would add
support
for this out of the box.

Since keycloak needs to be able to selectively use a (dedicated) proxy
server
for external and potentially no proxy for internal connections the
configuration
for that needs to be quite flexible.

The current PR proposes to use an ordered list of proxymappings that match
a http request host based on a regex pattern to a proxy uri which are
processed
by a new ProxyMappingsAwareRoutePlanner that is added to the internal
HttpClient.

A ProxyMapping has the form hostname-pattern;proxy-uri e.g.:

      .*\.(google|googleapis)\.com;http://www-proxy.acme.corp.com:8080
      .*\.acme\.corp\.com;NO_PROXY
      .*;http://fallback:8080

(the catch all is optional)
The first matching mapping defines the proxy to use. If no pattern matches
then no proxy is used. One can also explicity define that certain
connections should
not use a proxy.

... and can be configured via jboss-cli

  echo SETUP: Configure proxy routes for HttpClient SPI

/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:add(enabled=true)

/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=[".*\\.(google|googleapis)\\.com;
http://www-proxy.acme.corp.com:8080",".*\\.acme\\.corp\\.com;NO_PROXY",".*;
http://fallback:8080"])

This can be tested as follows:
1) Apply the PR in branch, build a server distribution.
2) Start Keycloak with portOffset 10000 for http/https/ajp port.
Configure the ProxyMappings in standalone.xml:
via jboss-cli:
  echo SETUP: Configure proxy routes for HttpClient SPI

/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:add(enabled=true)

/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=[".*\\.(google|googleapis)\\.com;
http://localhost:8080"])

3) Download and start BurpSuite [4]
4) By default burpsuite starts a proxy server on port 8080
5) Register google as auth provider and check entries in burp proxy log
   (Note that you potentially need to explicitly forward the request in the
proxy tab in Burp)

WDYT?

Cheers,
Thomas

[1] https://github.com/keycloak/keycloak/pull/4543
[2] https://issues.jboss.org/browse/KEYCLOAK-4743
[3] https://github.com/keycloak/keycloak/pull/4040
[4] https://portswigger.net/burp/help/suite_gettingstarted.html


More information about the keycloak-dev mailing list