[keycloak-dev] Reverse Proxy Docs (and general logging)

Evan Shortiss eshortis at redhat.com
Thu Aug 29 06:14:57 EDT 2019 

Hi Bruno,

Thanks for the response. Good to know debug logging is planned.

As you know "trust proxy" is already part of expressjs documentation[1].
> Maybe worth to add pointers to this documentation, instead of duplicate
> the information.


Are you saying "trust proxy" should not be mentioned at all in Keycloak
docs?

I'm not suggesting Keycloak has a duplicate of express docs, but it should
definitely mention it and link to the page. Keycloak requires "trust proxy"
to be "true" for almost any Node.js application since they usually run
behind a proxy, and currently the only place this setting is mentioned is
the last comment in a GitHub issue[1].

Just my 2 cents based on the experience I had working working with the
Keycloak templates, and eventually my own app.

Thanks for the feedback.

[1] -
https://github.com/keycloak/keycloak-nodejs-connect/pull/5#issuecomment-389101685

On Thu, Aug 29, 2019 at 11:00 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Evan, my apologies for the late reply. For logging, we have a Jira
> for it: https://issues.jboss.org/browse/KEYCLOAK-5393. But we didn't
> have the time to work on it.
>
> As you know "trust proxy" is already part of expressjs documentation[1].
> Maybe worth to add pointers to this documentation, instead of duplicate
> the information. And about the example, I'd just leave it as is, adding
> comments to the code may give people the false impression that's
> something specific to Keycloak.
>
>
> [1] - https://expressjs.com/en/guide/behind-proxies.html
>
> On 2019-08-07, Evan Shortiss wrote:
> > Hi folks,
> >
> > I was working on Keycloak Node.js demo this morning and couldn't figure
> out
> > why it was incorrectly constructing my *redirect_uri* for a public
> client.
> > Instead of using HTTPS it was using HTTP - my application was served over
> > HTTPS.
> >
> > I thought it was might be a bug in keycloak-connect, but turns out it's
> > related to the "trust proxy" setting in express. This is fine, it makes
> > sense to use standard Node.js/Express environment settings to manage
> this 👍
> >
> > My question is: should debug logging be added in the adapter to help
> debug
> > such issues? If I could have run my project with a
> > *DEBUG=keycloak-connect* environment
> > variable set and had logs such as those below it could have been helpful.
> >
> > I think it's also worth adding commented a line to the Node.js example(s)
> > with "trust proxy" set to "true", and a comment above explaining you need
> > to uncomment it if behind a reverse proxy. I'm not sure if the various
> Java
> > example(s) require a similar setting/comment.
> >
> > When I Googled I didn't find any hits in the Keycloak docs for "reverse
> > proxy" so might be worth a docs update too?
> >
> > keycloak-connect:protect - creating login url
> > keycloak-connect:protect - incoming request.protocol is "http"
> > keycloak-connect:protect - WARNING request.protocol is "http" but
> > "x-forwarded-proto"
> > is "https", "trust proxy" setting might be incorrectly set
> > keycloak-connect:protect - login url is $SOME_URL
> >
> > --
> >
> > Evan Shortiss
> >
> > Technical Marketing Manager
> >
> > Red Hat NA <https://www.redhat.com/>
> >
> > Los Angeles
> >
> > evan.shortiss at redhat.com
> > M: +1-781-354-2834     IM: evanshortiss
> > <https://www.redhat.com/>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
>


-- 

Evan Shortiss

Technical Marketing Manager

Red Hat NA <https://www.redhat.com/>

Los Angeles

evan.shortiss at redhat.com
M: +1-781-354-2834     IM: evanshortiss
<https://www.redhat.com/>

More information about the keycloak-dev mailing list