[keycloak-dev] Reverse Proxy Docs (and general logging)

Bruno Oliveira bruno at abstractj.org
Thu Aug 29 06:58:54 EDT 2019 

On 2019-08-29, Evan Shortiss wrote:
> Hi Bruno,
> 
> Thanks for the response. Good to know debug logging is planned.
> 
> As you know "trust proxy" is already part of expressjs documentation[1].
> > Maybe worth to add pointers to this documentation, instead of duplicate
> > the information.
> 
> 
> Are you saying "trust proxy" should not be mentioned at all in Keycloak
> docs?
> 
> I'm not suggesting Keycloak has a duplicate of express docs, but it should
> definitely mention it and link to the page. Keycloak requires "trust proxy"
> to be "true" for almost any Node.js application since they usually run
> behind a proxy, and currently the only place this setting is mentioned is
> the last comment in a GitHub issue[1].
> 
> Just my 2 cents based on the experience I had working working with the
> Keycloak templates, and eventually my own app.

Sure, let's do this Evan. If you get the chance, please submit a change
to https://github.com/keycloak/keycloak-documentation/blob/b220c0d5bccc38a6b61dd07119f9c47ccca1b992/securing_apps/topics/oidc/nodejs-adapter.adoc.

Thanks in advance.

> 
> Thanks for the feedback.
> 
> [1] -
> https://github.com/keycloak/keycloak-nodejs-connect/pull/5#issuecomment-389101685
> 
> On Thu, Aug 29, 2019 at 11:00 AM Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> > Hi Evan, my apologies for the late reply. For logging, we have a Jira
> > for it: https://issues.jboss.org/browse/KEYCLOAK-5393. But we didn't
> > have the time to work on it.
> >
> > As you know "trust proxy" is already part of expressjs documentation[1].
> > Maybe worth to add pointers to this documentation, instead of duplicate
> > the information. And about the example, I'd just leave it as is, adding
> > comments to the code may give people the false impression that's
> > something specific to Keycloak.
> >
> >
> > [1] - https://expressjs.com/en/guide/behind-proxies.html
> >
> > On 2019-08-07, Evan Shortiss wrote:
> > > Hi folks,
> > >
> > > I was working on Keycloak Node.js demo this morning and couldn't figure
> > out
> > > why it was incorrectly constructing my *redirect_uri* for a public
> > client.
> > > Instead of using HTTPS it was using HTTP - my application was served over
> > > HTTPS.
> > >
> > > I thought it was might be a bug in keycloak-connect, but turns out it's
> > > related to the "trust proxy" setting in express. This is fine, it makes
> > > sense to use standard Node.js/Express environment settings to manage
> > this 👍
> > >
> > > My question is: should debug logging be added in the adapter to help
> > debug
> > > such issues? If I could have run my project with a
> > > *DEBUG=keycloak-connect* environment
> > > variable set and had logs such as those below it could have been helpful.
> > >
> > > I think it's also worth adding commented a line to the Node.js example(s)
> > > with "trust proxy" set to "true", and a comment above explaining you need
> > > to uncomment it if behind a reverse proxy. I'm not sure if the various
> > Java
> > > example(s) require a similar setting/comment.
> > >
> > > When I Googled I didn't find any hits in the Keycloak docs for "reverse
> > > proxy" so might be worth a docs update too?
> > >
> > > keycloak-connect:protect - creating login url
> > > keycloak-connect:protect - incoming request.protocol is "http"
> > > keycloak-connect:protect - WARNING request.protocol is "http" but
> > > "x-forwarded-proto"
> > > is "https", "trust proxy" setting might be incorrectly set
> > > keycloak-connect:protect - login url is $SOME_URL
> > >
> > > --
> > >
> > > Evan Shortiss
> > >
> > > Technical Marketing Manager
> > >
> > > Red Hat NA <https://www.redhat.com/>
> > >
> > > Los Angeles
> > >
> > > evan.shortiss at redhat.com
> > > M: +1-781-354-2834     IM: evanshortiss
> > > <https://www.redhat.com/>
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > --
> >
> > abstractj
> >
> 
> 
> -- 
> 
> Evan Shortiss
> 
> Technical Marketing Manager
> 
> Red Hat NA <https://www.redhat.com/>
> 
> Los Angeles
> 
> evan.shortiss at redhat.com
> M: +1-781-354-2834     IM: evanshortiss
> <https://www.redhat.com/>

-- 

abstractj

More information about the keycloak-dev mailing list