[keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP)

Andrey Saroul andrey.saroul at gmail.com
Mon Dec 5 04:14:02 EST 2016 

That's exact feature which I've been looking for.
That will solve our problem with reverse proxy.
I defenetly vote for this feature to be implemented!

2016-12-05 11:57 GMT+03:00 Michael Furman <michael_furman at hotmail.com>:

> Dear Keycloak people,
>
> Please find below the suggestion that will allow easiest integration of
> Keycloak behind HTTPS reverse proxy.
>
> I suggest to add to the Keycloak configuration the new property – the
> client URL.
>
> Then, the Keycloak will use the property when generating tokens or
> metadata (instead of to rely on incoming HTTP request).
>
> This will allow to use Keycloak over HTTP and to use SSL only in reverse
> proxy.
>
> Additional suggestion will allow to configure Keycloak to work behind
> Reverse Proxy with Network Address Translation (NAT) (I have asked the
> question here http://lists.jboss.org/pipermail/keycloak-user/2016-
> November/008454.html).
>
> I suggest to add to the Keycloak configuration the additional new property
> – the internal client URL.
>
> Then Keycloak will use the property in org.keycloak.protocol.oidc.OIDCWellKnownProvider
> and will create the well-known configuration with internal and external IPs.
>
> Clients will use the well-known configuration and will be able to connect
> to Keycloak without any problems.
>
> What do you say about the suggestions?
>
> If you think it is good I will happy to implement and test it during our
> integration with Keycloak.
>
> Best regards,
>
>    Michael
>
>
> ------------------------------
> *From:* keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> on behalf of Gabriel Lavoie <
> glavoie at gmail.com>
> *Sent:* Wednesday, November 30, 2016 6:33 PM
> *To:* Andrey Saroul
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Keycloak behind 2 Nginx reverse proxies
> (HTTPS -> HTTP)
>
> Hi Andrew,
>      The answer is "it depends". When generating tokens or metadata,
> Keycloak uses the scheme://hostname:port/ that was used to access it to
> fill the different issuers/URLs. The same values must match in the client
> JSON file so the client can validate the source of the token.
>
> At the client level, this could be handled by having a custom translation
> step over the configuration that accept both schemes and match it to the
> issuer, not something that Keycloak seems to support natively last time I
> checked.
>
> Doing SSO through multiple aliases always has this sort of issues. This is
> usually something that should be avoided. Can you keep Keycloak HTTPs and
> your application HTTP in your internal network?
>
> Gabriel
>
> 2016-11-25 8:08 GMT-05:00 Andrey Saroul <andrey.saroul at gmail.com>:
>
> > We have an idea to isolate our application in our internal network so
> that
> > all communication in that network can go by HTTP.
> > So we've set up a public nginx server, witch is responsible for
> > establishing https connections.
> > Public nginx server forwards requests to another nginx server in secured
> > internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
> > But this configuration is not working because of invalid redirect issue.
> > In our client's json file we have to define auth-server-url with HTTPS
> > scheme. When we try to specify HTTP Keycloak no longer works.
> > So my question: is it possible to make things work by HTTP in internal
> > private network and HTTPS only remain for public access.
> > Any guidance will be appreciated.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
> >
>
>
>
> --
> Gabriel Lavoie
> glavoie at gmail.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>

More information about the keycloak-user mailing list