[keycloak-user] Having a public and a private 'face' to Keycloak

Stian Thorgersen sthorger at redhat.com
Thu Sep 24 06:18:35 EDT 2015


In your backend services you should use
"auth-server-url-for-backend-requests" to specify the internal url of
Keycloak, and "auth-server-url" should be set to the external url. For more
details take a look at:
http://keycloak.github.io/docs/userguide/html/applicationClustering.html#relative-uri-optimization

On 24 September 2015 at 11:54, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:

> I, and others are having problems using this in the real world because of
> the 'identity' of Keycloak.
>
> I'm running Keycloak in a Docker(Rancher) container. Alongside it are my
> backend containers holding
> the internal components of the application. On top of the application is
> an nginx container containing
> an AngularJS application and proxying Angular's service calls to the
> backend container.
>
> The problem comes when I sit an external load balancer/SSL layer in front
> of the application. The
> user is now contacting the application on its external hostname in our
> DMZ. Authentication then has
> to be performed against Keycloak on a DMZ IP/URL. Easy enough to arrange,
> just use Nginx again
> as a proxy for Keycloak. This all works for the frontend and the user can
> log in.
>
> The problem occurs when the backend service containers try and validate
> the user token. They
> cannot do this directly to Keycloak inside the Docker ecosystem. All I get
> in that case is this
> token was issued by <external hostname:port> and you are presenting it to
> <internal hostname:port>
> (can't remember the exact wording).
>
> I can get this to work by getting my backend containers to authenticate
> against <external hostname>
> but that is creating traffic out of the docker LAN and back in again, not
> the most efficient way to
> do things.
>
> Would this be a good use case for Keycloak aliases? Then I can present a
> token issued by
> <external URL> to <internal URL> and Keycloak will understand that it was
> actually issued by
> itself under a different identity. Better still I could proxy Keycloak
> within the URL of the front-end
> application which would place the whole application; website, service and
> authentication under the
> one hostname.
>
>
> *Kevin Thorpe*
> CTO
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150924/323640c8/attachment.html 


More information about the keycloak-user mailing list