[keycloak-dev] Flexible HTTP Proxy support for HttpClientProvider

Thomas Darimont thomas.darimont at googlemail.com
Mon Oct 16 08:00:33 EDT 2017 

Hello,

I agree that one needs to be able to test this automatically... but this
needs some additional thought.
For now how about rolling out the proxy support behind a feature flag and
ask the community for feedback?

I tested this for google APIs but I'd assume that since the proxy is
transparently applied in case the target hostname
of a request matches the configured proxy pattern it will work just fine.

Btw. I just gave this a try with the registration recaptcha and it worked
fine.

I had to adjust the default Content-Security-Policy sent by Keycloak though:
from:
  frame-src self; frame-ancestors 'self'; object-src 'none';
to:
  frame-src self https://www.google.com/recaptcha/; frame-ancestors 'self';
object-src 'none';

One thing that are currently missing in the proxy-support is support for
proxy authentication,
but this could be added later.

Cheers,
Thomas

2017-10-16 12:55 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> We'd need some way of automatically testing HTTP proxy support, which is
> non-trivial. The steps you've listed only manually checks Google, but what
> about everything else that may need to go through the HTTP proxy? Captcha,
> other IdPs, external clients, etc..
>
> On 11 October 2017 at 14:26, Thomas Darimont <thomas.darimont at googlemail.
> com> wrote:
>
>> Hello,
>>
>> I've sent a PR [1] for KEYCLOAK-4743 [2] Add proxy support to
>> HttpClientProvider SPI.
>> The proposed implementation is based on the discussions from an older
>> (rejected) PR [3]
>>
>> The current DefaultHttpClientProviderFactory doesn't support HTTP proxies
>> which makes
>> it very difficult to integrate social Identity Providers like google /
>> facebook etc...
>> when you are required to tunnel all external communications though a proxy
>> server.
>>
>> Server Developers are currently required to either convince their network
>> admins to
>> loosen the proxy rules ... or provide a custom implementation of a
>> HttpClientProvider,
>> which is quite complex. Therefore it would be great if keycloak would add
>> support
>> for this out of the box.
>>
>> Since keycloak needs to be able to selectively use a (dedicated) proxy
>> server
>> for external and potentially no proxy for internal connections the
>> configuration
>> for that needs to be quite flexible.
>>
>> The current PR proposes to use an ordered list of proxymappings that match
>> a http request host based on a regex pattern to a proxy uri which are
>> processed
>> by a new ProxyMappingsAwareRoutePlanner that is added to the internal
>> HttpClient.
>>
>> A ProxyMapping has the form hostname-pattern;proxy-uri e.g.:
>>
>>       .*\.(google|googleapis)\.com;http://www-proxy.acme.corp.com:8080
>>       .*\.acme\.corp\.com;NO_PROXY
>>       .*;http://fallback:8080
>>
>> (the catch all is optional)
>> The first matching mapping defines the proxy to use. If no pattern matches
>> then no proxy is used. One can also explicity define that certain
>> connections should
>> not use a proxy.
>>
>> ... and can be configured via jboss-cli
>>
>>   echo SETUP: Configure proxy routes for HttpClient SPI
>>
>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>> r=default:add(enabled=true)
>>
>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>> r=default:write-attribute(name=properties.proxy-
>> mappings,value=[".*\\.(google|googleapis)\\.com;
>> http://www-proxy.acme.corp.com:8080",".*\\.acme\\.corp\\.com
>> ;NO_PROXY",".*;
>> http://fallback:8080"])
>>
>> This can be tested as follows:
>> 1) Apply the PR in branch, build a server distribution.
>> 2) Start Keycloak with portOffset 10000 for http/https/ajp port.
>> Configure the ProxyMappings in standalone.xml:
>> via jboss-cli:
>>   echo SETUP: Configure proxy routes for HttpClient SPI
>>
>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>> r=default:add(enabled=true)
>>
>> /subsystem=keycloak-server/spi=connectionsHttpClient/provide
>> r=default:write-attribute(name=properties.proxy-
>> mappings,value=[".*\\.(google|googleapis)\\.com;
>> http://localhost:8080"])
>>
>> 3) Download and start BurpSuite [4]
>> 4) By default burpsuite starts a proxy server on port 8080
>> 5) Register google as auth provider and check entries in burp proxy log
>>    (Note that you potentially need to explicitly forward the request in
>> the
>> proxy tab in Burp)
>>
>> WDYT?
>>
>> Cheers,
>> Thomas
>>
>> [1] https://github.com/keycloak/keycloak/pull/4543
>> [2] https://issues.jboss.org/browse/KEYCLOAK-4743
>> [3] https://github.com/keycloak/keycloak/pull/4040
>> [4] https://portswigger.net/burp/help/suite_gettingstarted.html
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>

More information about the keycloak-dev mailing list