[keycloak-dev] Flexible HTTP Proxy support for HttpClientProvider

Stian Thorgersen sthorger at redhat.com
Mon Oct 16 06:55:36 EDT 2017 

We'd need some way of automatically testing HTTP proxy support, which is
non-trivial. The steps you've listed only manually checks Google, but what
about everything else that may need to go through the HTTP proxy? Captcha,
other IdPs, external clients, etc..

On 11 October 2017 at 14:26, Thomas Darimont <thomas.darimont at googlemail.com
> wrote:

> Hello,
>
> I've sent a PR [1] for KEYCLOAK-4743 [2] Add proxy support to
> HttpClientProvider SPI.
> The proposed implementation is based on the discussions from an older
> (rejected) PR [3]
>
> The current DefaultHttpClientProviderFactory doesn't support HTTP proxies
> which makes
> it very difficult to integrate social Identity Providers like google /
> facebook etc...
> when you are required to tunnel all external communications though a proxy
> server.
>
> Server Developers are currently required to either convince their network
> admins to
> loosen the proxy rules ... or provide a custom implementation of a
> HttpClientProvider,
> which is quite complex. Therefore it would be great if keycloak would add
> support
> for this out of the box.
>
> Since keycloak needs to be able to selectively use a (dedicated) proxy
> server
> for external and potentially no proxy for internal connections the
> configuration
> for that needs to be quite flexible.
>
> The current PR proposes to use an ordered list of proxymappings that match
> a http request host based on a regex pattern to a proxy uri which are
> processed
> by a new ProxyMappingsAwareRoutePlanner that is added to the internal
> HttpClient.
>
> A ProxyMapping has the form hostname-pattern;proxy-uri e.g.:
>
>       .*\.(google|googleapis)\.com;http://www-proxy.acme.corp.com:8080
>       .*\.acme\.corp\.com;NO_PROXY
>       .*;http://fallback:8080
>
> (the catch all is optional)
> The first matching mapping defines the proxy to use. If no pattern matches
> then no proxy is used. One can also explicity define that certain
> connections should
> not use a proxy.
>
> ... and can be configured via jboss-cli
>
>   echo SETUP: Configure proxy routes for HttpClient SPI
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/
> provider=default:add(enabled=true)
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/
> provider=default:write-attribute(name=properties.
> proxy-mappings,value=[".*\\.(google|googleapis)\\.com;
> http://www-proxy.acme.corp.com:8080",".*\\.acme\\.corp\\.
> com;NO_PROXY",".*;
> http://fallback:8080"])
>
> This can be tested as follows:
> 1) Apply the PR in branch, build a server distribution.
> 2) Start Keycloak with portOffset 10000 for http/https/ajp port.
> Configure the ProxyMappings in standalone.xml:
> via jboss-cli:
>   echo SETUP: Configure proxy routes for HttpClient SPI
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/
> provider=default:add(enabled=true)
>
> /subsystem=keycloak-server/spi=connectionsHttpClient/
> provider=default:write-attribute(name=properties.
> proxy-mappings,value=[".*\\.(google|googleapis)\\.com;
> http://localhost:8080"])
>
> 3) Download and start BurpSuite [4]
> 4) By default burpsuite starts a proxy server on port 8080
> 5) Register google as auth provider and check entries in burp proxy log
>    (Note that you potentially need to explicitly forward the request in the
> proxy tab in Burp)
>
> WDYT?
>
> Cheers,
> Thomas
>
> [1] https://github.com/keycloak/keycloak/pull/4543
> [2] https://issues.jboss.org/browse/KEYCLOAK-4743
> [3] https://github.com/keycloak/keycloak/pull/4040
> [4] https://portswigger.net/burp/help/suite_gettingstarted.html
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list