[keycloak-dev] Reverse Proxy Docs (and general logging)

Evan Shortiss eshortis at redhat.com
Fri Aug 30 05:17:58 EDT 2019


Will do. Thanks!

On Thu, Aug 29, 2019 at 11:59 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> On 2019-08-29, Evan Shortiss wrote:
> > Hi Bruno,
> >
> > Thanks for the response. Good to know debug logging is planned.
> >
> > As you know "trust proxy" is already part of expressjs documentation[1].
> > > Maybe worth to add pointers to this documentation, instead of duplicate
> > > the information.
> >
> >
> > Are you saying "trust proxy" should not be mentioned at all in Keycloak
> > docs?
> >
> > I'm not suggesting Keycloak has a duplicate of express docs, but it
> should
> > definitely mention it and link to the page. Keycloak requires "trust
> proxy"
> > to be "true" for almost any Node.js application since they usually run
> > behind a proxy, and currently the only place this setting is mentioned is
> > the last comment in a GitHub issue[1].
> >
> > Just my 2 cents based on the experience I had working working with the
> > Keycloak templates, and eventually my own app.
>
> Sure, let's do this Evan. If you get the chance, please submit a change
> to
> https://github.com/keycloak/keycloak-documentation/blob/b220c0d5bccc38a6b61dd07119f9c47ccca1b992/securing_apps/topics/oidc/nodejs-adapter.adoc
> .
>
> Thanks in advance.
>
> >
> > Thanks for the feedback.
> >
> > [1] -
> >
> https://github.com/keycloak/keycloak-nodejs-connect/pull/5#issuecomment-389101685
> >
> > On Thu, Aug 29, 2019 at 11:00 AM Bruno Oliveira <bruno at abstractj.org>
> wrote:
> >
> > > Hi Evan, my apologies for the late reply. For logging, we have a Jira
> > > for it: https://issues.jboss.org/browse/KEYCLOAK-5393. But we didn't
> > > have the time to work on it.
> > >
> > > As you know "trust proxy" is already part of expressjs
> documentation[1].
> > > Maybe worth to add pointers to this documentation, instead of duplicate
> > > the information. And about the example, I'd just leave it as is, adding
> > > comments to the code may give people the false impression that's
> > > something specific to Keycloak.
> > >
> > >
> > > [1] - https://expressjs.com/en/guide/behind-proxies.html
> > >
> > > On 2019-08-07, Evan Shortiss wrote:
> > > > Hi folks,
> > > >
> > > > I was working on Keycloak Node.js demo this morning and couldn't
> figure
> > > out
> > > > why it was incorrectly constructing my *redirect_uri* for a public
> > > client.
> > > > Instead of using HTTPS it was using HTTP - my application was served
> over
> > > > HTTPS.
> > > >
> > > > I thought it was might be a bug in keycloak-connect, but turns out
> it's
> > > > related to the "trust proxy" setting in express. This is fine, it
> makes
> > > > sense to use standard Node.js/Express environment settings to manage
> > > this 👍
> > > >
> > > > My question is: should debug logging be added in the adapter to help
> > > debug
> > > > such issues? If I could have run my project with a
> > > > *DEBUG=keycloak-connect* environment
> > > > variable set and had logs such as those below it could have been
> helpful.
> > > >
> > > > I think it's also worth adding commented a line to the Node.js
> example(s)
> > > > with "trust proxy" set to "true", and a comment above explaining you
> need
> > > > to uncomment it if behind a reverse proxy. I'm not sure if the
> various
> > > Java
> > > > example(s) require a similar setting/comment.
> > > >
> > > > When I Googled I didn't find any hits in the Keycloak docs for
> "reverse
> > > > proxy" so might be worth a docs update too?
> > > >
> > > > keycloak-connect:protect - creating login url
> > > > keycloak-connect:protect - incoming request.protocol is "http"
> > > > keycloak-connect:protect - WARNING request.protocol is "http" but
> > > > "x-forwarded-proto"
> > > > is "https", "trust proxy" setting might be incorrectly set
> > > > keycloak-connect:protect - login url is $SOME_URL
> > > >
> > > > --
> > > >
> > > > Evan Shortiss
> > > >
> > > > Technical Marketing Manager
> > > >
> > > > Red Hat NA <https://www.redhat.com/>
> > > >
> > > > Los Angeles
> > > >
> > > > evan.shortiss at redhat.com
> > > > M: +1-781-354-2834     IM: evanshortiss
> > > > <https://www.redhat.com/>
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> > > --
> > >
> > > abstractj
> > >
> >
> >
> > --
> >
> > Evan Shortiss
> >
> > Technical Marketing Manager
> >
> > Red Hat NA <https://www.redhat.com/>
> >
> > Los Angeles
> >
> > evan.shortiss at redhat.com
> > M: +1-781-354-2834     IM: evanshortiss
> > <https://www.redhat.com/>
>
> --
>
> abstractj
>


-- 

Evan Shortiss

Technical Marketing Manager

Red Hat NA <https://www.redhat.com/>

Los Angeles

evan.shortiss at redhat.com
M: +1-781-354-2834     IM: evanshortiss
<https://www.redhat.com/>


More information about the keycloak-dev mailing list